################################################################
# abuse.ch SSLBL Snort / Suricata Botnet C2 IP Ruleset         #
# Aggressive                                                   #
# Last updated: 2020-06-06 07:39:53 UTC                        #
#                                                              #
# Terms Of Use: https://sslbl.abuse.ch/blacklist/              #
# For questions please contact sslbl [at] abuse.ch             #
################################################################
#
alert tcp $HOME_NET any -> [185.236.201.102] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200000; rev:1;)
alert tcp $HOME_NET any -> [68.235.48.108] 6250 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200001; rev:1;)
alert tcp $HOME_NET any -> [161.35.197.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200002; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200003; rev:1;)
alert tcp $HOME_NET any -> [102.130.119.183] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200004; rev:1;)
alert tcp $HOME_NET any -> [80.249.147.57] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200005; rev:1;)
alert tcp $HOME_NET any -> [45.67.228.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200006; rev:1;)
alert tcp $HOME_NET any -> [102.130.119.184] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200007; rev:1;)
alert tcp $HOME_NET any -> [3.124.197.215] 3333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200008; rev:1;)
alert tcp $HOME_NET any -> [109.230.215.25] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200009; rev:1;)
alert tcp $HOME_NET any -> [91.211.246.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200010; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.152] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200011; rev:1;)
alert tcp $HOME_NET any -> [89.105.194.243] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200012; rev:1;)
alert tcp $HOME_NET any -> [139.60.161.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200013; rev:1;)
alert tcp $HOME_NET any -> [5.101.50.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200014; rev:1;)
alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200015; rev:1;)
alert tcp $HOME_NET any -> [80.249.146.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200016; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.41] 5288 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200017; rev:1;)
alert tcp $HOME_NET any -> [192.210.237.74] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200018; rev:1;)
alert tcp $HOME_NET any -> [45.89.175.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200019; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.111] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200020; rev:1;)
alert tcp $HOME_NET any -> [45.147.231.75] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200021; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200022; rev:1;)
alert tcp $HOME_NET any -> [199.188.206.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200023; rev:1;)
alert tcp $HOME_NET any -> [37.221.113.68] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200024; rev:1;)
alert tcp $HOME_NET any -> [85.17.26.178] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200025; rev:1;)
alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200026; rev:1;)
alert tcp $HOME_NET any -> [84.38.183.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200027; rev:1;)
alert tcp $HOME_NET any -> [46.102.153.39] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200028; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200029; rev:1;)
alert tcp $HOME_NET any -> [121.42.15.110] 8081 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200030; rev:1;)
alert tcp $HOME_NET any -> [23.94.54.199] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200031; rev:1;)
alert tcp $HOME_NET any -> [47.53.137.56] 1606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200032; rev:1;)
alert tcp $HOME_NET any -> [139.59.28.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200033; rev:1;)
alert tcp $HOME_NET any -> [5.206.225.37] 5566 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200034; rev:1;)
alert tcp $HOME_NET any -> [3.8.93.207] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200035; rev:1;)
alert tcp $HOME_NET any -> [46.21.147.240] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200036; rev:1;)
alert tcp $HOME_NET any -> [185.34.52.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200037; rev:1;)
alert tcp $HOME_NET any -> [79.143.30.10] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200038; rev:1;)
alert tcp $HOME_NET any -> [45.66.250.161] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200039; rev:1;)
alert tcp $HOME_NET any -> [31.24.224.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200040; rev:1;)
alert tcp $HOME_NET any -> [167.86.118.236] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200041; rev:1;)
alert tcp $HOME_NET any -> [84.38.180.26] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200042; rev:1;)
alert tcp $HOME_NET any -> [178.62.16.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200043; rev:1;)
alert tcp $HOME_NET any -> [34.70.172.237] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200044; rev:1;)
alert tcp $HOME_NET any -> [216.38.8.169] 8153 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200045; rev:1;)
alert tcp $HOME_NET any -> [185.41.154.105] 587 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200046; rev:1;)
alert tcp $HOME_NET any -> [198.27.105.164] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200047; rev:1;)
alert tcp $HOME_NET any -> [185.200.241.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200048; rev:1;)
alert tcp $HOME_NET any -> [172.104.163.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200049; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.202] 2243 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200050; rev:1;)
alert tcp $HOME_NET any -> [185.80.129.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200051; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.47] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200052; rev:1;)
alert tcp $HOME_NET any -> [45.11.18.76] 5095 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200053; rev:1;)
alert tcp $HOME_NET any -> [5.39.218.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200054; rev:1;)
alert tcp $HOME_NET any -> [38.132.99.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200055; rev:1;)
alert tcp $HOME_NET any -> [67.43.239.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200056; rev:1;)
alert tcp $HOME_NET any -> [37.228.116.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200057; rev:1;)
alert tcp $HOME_NET any -> [45.58.139.101] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200058; rev:1;)
alert tcp $HOME_NET any -> [89.33.246.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200059; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.163] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200060; rev:1;)
alert tcp $HOME_NET any -> [176.123.7.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200061; rev:1;)
alert tcp $HOME_NET any -> [172.105.52.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200062; rev:1;)
alert tcp $HOME_NET any -> [185.236.202.149] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200063; rev:1;)
alert tcp $HOME_NET any -> [192.188.88.247] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200064; rev:1;)
alert tcp $HOME_NET any -> [64.251.28.62] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200065; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.145] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200066; rev:1;)
alert tcp $HOME_NET any -> [193.56.28.11] 7870 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200067; rev:1;)
alert tcp $HOME_NET any -> [149.255.35.139] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200068; rev:1;)
alert tcp $HOME_NET any -> [149.255.35.159] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200069; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.4] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200070; rev:1;)
alert tcp $HOME_NET any -> [142.202.190.47] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200071; rev:1;)
alert tcp $HOME_NET any -> [185.225.19.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200072; rev:1;)
alert tcp $HOME_NET any -> [13.82.28.199] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200073; rev:1;)
alert tcp $HOME_NET any -> [80.209.241.84] 56789 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200074; rev:1;)
alert tcp $HOME_NET any -> [142.202.188.195] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200075; rev:1;)
alert tcp $HOME_NET any -> [5.39.221.45] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200076; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 2786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200077; rev:1;)
alert tcp $HOME_NET any -> [165.227.198.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200078; rev:1;)
alert tcp $HOME_NET any -> [91.218.66.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200079; rev:1;)
alert tcp $HOME_NET any -> [46.17.98.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200080; rev:1;)
alert tcp $HOME_NET any -> [47.241.116.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200081; rev:1;)
alert tcp $HOME_NET any -> [23.254.229.35] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200082; rev:1;)
alert tcp $HOME_NET any -> [5.39.221.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200083; rev:1;)
alert tcp $HOME_NET any -> [45.32.128.100] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200084; rev:1;)
alert tcp $HOME_NET any -> [142.202.188.216] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200085; rev:1;)
alert tcp $HOME_NET any -> [167.114.12.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200086; rev:1;)
alert tcp $HOME_NET any -> [89.163.245.168] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200087; rev:1;)
alert tcp $HOME_NET any -> [89.163.253.225] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200088; rev:1;)
alert tcp $HOME_NET any -> [95.174.65.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200089; rev:1;)
alert tcp $HOME_NET any -> [38.68.46.160] 443 (msg:"SSLBL: Traffic to malicious host (likely QNodeService C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200090; rev:1;)
alert tcp $HOME_NET any -> [46.183.222.49] 6689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200091; rev:1;)
alert tcp $HOME_NET any -> [46.21.150.151] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200092; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.70] 2321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200093; rev:1;)
alert tcp $HOME_NET any -> [8.209.74.159] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200094; rev:1;)
alert tcp $HOME_NET any -> [185.34.52.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200095; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.203] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200096; rev:1;)
alert tcp $HOME_NET any -> [86.106.20.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200097; rev:1;)
alert tcp $HOME_NET any -> [172.241.27.37] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200098; rev:1;)
alert tcp $HOME_NET any -> [149.255.36.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200099; rev:1;)
alert tcp $HOME_NET any -> [91.132.139.214] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200100; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.7] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200101; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.202] 1139 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200102; rev:1;)
alert tcp $HOME_NET any -> [24.185.111.219] 54455 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200103; rev:1;)
alert tcp $HOME_NET any -> [54.36.17.100] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200104; rev:1;)
alert tcp $HOME_NET any -> [8.208.9.171] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200105; rev:1;)
alert tcp $HOME_NET any -> [190.213.78.26] 5000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200106; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.82] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200107; rev:1;)
alert tcp $HOME_NET any -> [178.170.138.217] 3097 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200108; rev:1;)
alert tcp $HOME_NET any -> [212.8.247.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200109; rev:1;)
alert tcp $HOME_NET any -> [114.67.122.133] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200110; rev:1;)
alert tcp $HOME_NET any -> [83.11.66.225] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200111; rev:1;)
alert tcp $HOME_NET any -> [103.147.184.237] 5010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200112; rev:1;)
alert tcp $HOME_NET any -> [91.218.66.231] 18888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200113; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.102] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200114; rev:1;)
alert tcp $HOME_NET any -> [47.106.209.173] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200115; rev:1;)
alert tcp $HOME_NET any -> [37.120.140.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200116; rev:1;)
alert tcp $HOME_NET any -> [24.31.167.44] 4444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200117; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.109] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200118; rev:1;)
alert tcp $HOME_NET any -> [91.92.144.29] 2088 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200119; rev:1;)
alert tcp $HOME_NET any -> [47.241.2.255] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200120; rev:1;)
alert tcp $HOME_NET any -> [45.32.128.117] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200121; rev:1;)
alert tcp $HOME_NET any -> [185.80.130.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200122; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.223] 6204 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200123; rev:1;)
alert tcp $HOME_NET any -> [41.96.194.11] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200124; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.154] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200125; rev:1;)
alert tcp $HOME_NET any -> [41.96.193.66] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200126; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.129] 9980 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200127; rev:1;)
alert tcp $HOME_NET any -> [185.236.202.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200128; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.172] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200129; rev:1;)
alert tcp $HOME_NET any -> [120.132.81.251] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200130; rev:1;)
alert tcp $HOME_NET any -> [193.56.28.20] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200131; rev:1;)
alert tcp $HOME_NET any -> [121.140.64.142] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200132; rev:1;)
alert tcp $HOME_NET any -> [92.241.100.83] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200133; rev:1;)
alert tcp $HOME_NET any -> [41.96.30.85] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200134; rev:1;)
alert tcp $HOME_NET any -> [198.50.252.26] 1980 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200135; rev:1;)
alert tcp $HOME_NET any -> [181.52.111.181] 8015 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200136; rev:1;)
alert tcp $HOME_NET any -> [139.60.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200137; rev:1;)
alert tcp $HOME_NET any -> [217.8.117.41] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200138; rev:1;)
alert tcp $HOME_NET any -> [68.235.48.108] 6532 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200139; rev:1;)
alert tcp $HOME_NET any -> [104.244.74.228] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200140; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.207] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200141; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.111] 17175 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200142; rev:1;)
alert tcp $HOME_NET any -> [84.201.188.25] 7007 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200143; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.207] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200144; rev:1;)
alert tcp $HOME_NET any -> [64.79.67.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200145; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.85] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200146; rev:1;)
alert tcp $HOME_NET any -> [134.122.98.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200147; rev:1;)
alert tcp $HOME_NET any -> [172.105.75.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200148; rev:1;)
alert tcp $HOME_NET any -> [139.60.161.95] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200149; rev:1;)
alert tcp $HOME_NET any -> [80.83.26.131] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200150; rev:1;)
alert tcp $HOME_NET any -> [84.51.52.166] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200151; rev:1;)
alert tcp $HOME_NET any -> [91.211.245.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200152; rev:1;)
alert tcp $HOME_NET any -> [193.37.214.127] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200153; rev:1;)
alert tcp $HOME_NET any -> [103.147.184.237] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200154; rev:1;)
alert tcp $HOME_NET any -> [8.208.83.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200155; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.70] 2333 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200156; rev:1;)
alert tcp $HOME_NET any -> [41.96.152.168] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200157; rev:1;)
alert tcp $HOME_NET any -> [5.45.71.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200158; rev:1;)
alert tcp $HOME_NET any -> [185.70.184.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200159; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.206] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200160; rev:1;)
alert tcp $HOME_NET any -> [91.132.139.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200161; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.194] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200162; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.9] 2487 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200163; rev:1;)
alert tcp $HOME_NET any -> [139.99.122.112] 62 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200164; rev:1;)
alert tcp $HOME_NET any -> [104.198.206.229] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200165; rev:1;)
alert tcp $HOME_NET any -> [88.198.77.224] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200166; rev:1;)
alert tcp $HOME_NET any -> [198.27.77.206] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200167; rev:1;)
alert tcp $HOME_NET any -> [102.130.119.142] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200168; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.15] 7061 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200169; rev:1;)
alert tcp $HOME_NET any -> [161.35.38.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200170; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.35] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200171; rev:1;)
alert tcp $HOME_NET any -> [107.175.144.243] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200172; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.112] 37375 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200173; rev:1;)
alert tcp $HOME_NET any -> [139.28.222.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200174; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200175; rev:1;)
alert tcp $HOME_NET any -> [173.234.155.34] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200176; rev:1;)
alert tcp $HOME_NET any -> [78.217.163.197] 1117 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200177; rev:1;)
alert tcp $HOME_NET any -> [185.212.148.63] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200178; rev:1;)
alert tcp $HOME_NET any -> [64.225.101.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200179; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely RevengeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200180; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.215] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200181; rev:1;)
alert tcp $HOME_NET any -> [82.208.161.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200182; rev:1;)
alert tcp $HOME_NET any -> [194.113.235.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200183; rev:1;)
alert tcp $HOME_NET any -> [185.14.31.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200184; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.100] 45678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200185; rev:1;)
alert tcp $HOME_NET any -> [180.214.236.107] 6590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200186; rev:1;)
alert tcp $HOME_NET any -> [95.217.81.68] 443 (msg:"SSLBL: Traffic to malicious host (likely BuerLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200187; rev:1;)
alert tcp $HOME_NET any -> [182.190.24.221] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200188; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.125] 442 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200189; rev:1;)
alert tcp $HOME_NET any -> [104.248.138.198] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200190; rev:1;)
alert tcp $HOME_NET any -> [34.222.222.126] 443 (msg:"SSLBL: Traffic to malicious host (likely BazaLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200191; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.49] 1952 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200192; rev:1;)
alert tcp $HOME_NET any -> [51.15.21.149] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200193; rev:1;)
alert tcp $HOME_NET any -> [103.242.134.79] 43 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200194; rev:1;)
alert tcp $HOME_NET any -> [45.147.201.55] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200195; rev:1;)
alert tcp $HOME_NET any -> [212.114.52.236] 9932 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200196; rev:1;)
alert tcp $HOME_NET any -> [64.227.8.3] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200197; rev:1;)
alert tcp $HOME_NET any -> [46.183.221.30] 6434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200198; rev:1;)
alert tcp $HOME_NET any -> [172.94.18.253] 6699 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200199; rev:1;)
alert tcp $HOME_NET any -> [77.30.145.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200200; rev:1;)
alert tcp $HOME_NET any -> [23.108.57.5] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200201; rev:1;)
alert tcp $HOME_NET any -> [178.48.154.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200202; rev:1;)
alert tcp $HOME_NET any -> [178.79.158.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200203; rev:1;)
alert tcp $HOME_NET any -> [172.104.239.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200204; rev:1;)
alert tcp $HOME_NET any -> [91.201.175.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200205; rev:1;)
alert tcp $HOME_NET any -> [5.56.73.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200206; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.175] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200207; rev:1;)
alert tcp $HOME_NET any -> [178.238.8.102] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200208; rev:1;)
alert tcp $HOME_NET any -> [23.227.196.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200209; rev:1;)
alert tcp $HOME_NET any -> [8.208.80.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200210; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 44137 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200211; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.161] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200212; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.75] 20987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200213; rev:1;)
alert tcp $HOME_NET any -> [80.83.26.132] 66 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200214; rev:1;)
alert tcp $HOME_NET any -> [84.211.45.238] 1085 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200215; rev:1;)
alert tcp $HOME_NET any -> [174.138.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200216; rev:1;)
alert tcp $HOME_NET any -> [31.184.253.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200217; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.92] 2512 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200218; rev:1;)
alert tcp $HOME_NET any -> [134.209.172.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200219; rev:1;)
alert tcp $HOME_NET any -> [190.84.167.48] 1881 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200220; rev:1;)
alert tcp $HOME_NET any -> [83.11.162.79] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200221; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200222; rev:1;)
alert tcp $HOME_NET any -> [88.218.16.218] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200223; rev:1;)
alert tcp $HOME_NET any -> [144.217.211.203] 6714 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200224; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.14] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200225; rev:1;)
alert tcp $HOME_NET any -> [104.237.252.50] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200226; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.14] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200227; rev:1;)
alert tcp $HOME_NET any -> [85.74.134.20] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200228; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.23] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200229; rev:1;)
alert tcp $HOME_NET any -> [45.32.167.239] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200230; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.134] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200231; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200232; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200233; rev:1;)
alert tcp $HOME_NET any -> [45.153.240.114] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200234; rev:1;)
alert tcp $HOME_NET any -> [192.253.255.182] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200235; rev:1;)
alert tcp $HOME_NET any -> [91.218.65.24] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200236; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.58] 20909 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200237; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.214] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200238; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.190] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200239; rev:1;)
alert tcp $HOME_NET any -> [3.17.10.122] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200240; rev:1;)
alert tcp $HOME_NET any -> [94.239.225.11] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200241; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.175] 20209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200242; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.75] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200243; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.120] 20986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200244; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.161] 29060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200245; rev:1;)
alert tcp $HOME_NET any -> [46.183.221.31] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200246; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.196] 5679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200247; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.71] 8364 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200248; rev:1;)
alert tcp $HOME_NET any -> [46.17.96.46] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200249; rev:1;)
alert tcp $HOME_NET any -> [45.125.239.247] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200250; rev:1;)
alert tcp $HOME_NET any -> [5.45.68.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200251; rev:1;)
alert tcp $HOME_NET any -> [83.11.89.28] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200252; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200253; rev:1;)
alert tcp $HOME_NET any -> [8.208.89.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200254; rev:1;)
alert tcp $HOME_NET any -> [77.247.127.128] 8855 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200255; rev:1;)
alert tcp $HOME_NET any -> [176.31.26.213] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200256; rev:1;)
alert tcp $HOME_NET any -> [176.31.26.213] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200257; rev:1;)
alert tcp $HOME_NET any -> [169.255.59.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200258; rev:1;)
alert tcp $HOME_NET any -> [143.204.201.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200259; rev:1;)
alert tcp $HOME_NET any -> [216.170.125.102] 3582 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200260; rev:1;)
alert tcp $HOME_NET any -> [217.146.88.66] 9340 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200261; rev:1;)
alert tcp $HOME_NET any -> [91.211.246.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200262; rev:1;)
alert tcp $HOME_NET any -> [188.130.138.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200263; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.49] 1384 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200264; rev:1;)
alert tcp $HOME_NET any -> [45.125.239.219] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200265; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.16] 6403 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200266; rev:1;)
alert tcp $HOME_NET any -> [157.245.11.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200267; rev:1;)
alert tcp $HOME_NET any -> [47.89.208.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200268; rev:1;)
alert tcp $HOME_NET any -> [43.226.229.97] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200269; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.23] 8077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200270; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.55] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200271; rev:1;)
alert tcp $HOME_NET any -> [149.56.234.156] 1485 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200272; rev:1;)
alert tcp $HOME_NET any -> [84.16.248.160] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200273; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200274; rev:1;)
alert tcp $HOME_NET any -> [91.210.169.101] 6404 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200275; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.55] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200276; rev:1;)
alert tcp $HOME_NET any -> [207.246.95.196] 443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200277; rev:1;)
alert tcp $HOME_NET any -> [51.89.201.48] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200278; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.53] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200279; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.249] 4590 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200280; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.54] 3421 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200281; rev:1;)
alert tcp $HOME_NET any -> [89.238.181.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200282; rev:1;)
alert tcp $HOME_NET any -> [84.51.52.166] 82 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200283; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.130] 2001 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200284; rev:1;)
alert tcp $HOME_NET any -> [8.209.77.210] 443 (msg:"SSLBL: Traffic to malicious host (likely DanaBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200285; rev:1;)
alert tcp $HOME_NET any -> [103.147.185.179] 5891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200286; rev:1;)
alert tcp $HOME_NET any -> [103.114.105.3] 8780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200287; rev:1;)
alert tcp $HOME_NET any -> [188.130.138.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200288; rev:1;)
alert tcp $HOME_NET any -> [103.133.107.247] 3310 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200289; rev:1;)
alert tcp $HOME_NET any -> [103.141.137.242] 5454 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200290; rev:1;)
alert tcp $HOME_NET any -> [161.117.227.195] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200291; rev:1;)
alert tcp $HOME_NET any -> [45.129.2.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200292; rev:1;)
alert tcp $HOME_NET any -> [109.248.11.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200293; rev:1;)
alert tcp $HOME_NET any -> [103.147.185.179] 5890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200294; rev:1;)
alert tcp $HOME_NET any -> [103.99.1.76] 9087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200295; rev:1;)
alert tcp $HOME_NET any -> [103.125.190.243] 8965 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200296; rev:1;)
alert tcp $HOME_NET any -> [119.28.159.130] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200297; rev:1;)
alert tcp $HOME_NET any -> [45.125.239.120] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200298; rev:1;)
alert tcp $HOME_NET any -> [45.140.168.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200299; rev:1;)
alert tcp $HOME_NET any -> [88.119.175.105] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200300; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.144] 7866 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200301; rev:1;)
alert tcp $HOME_NET any -> [216.38.2.208] 1050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200302; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200303; rev:1;)
alert tcp $HOME_NET any -> [105.103.91.155] 5552 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200304; rev:1;)
alert tcp $HOME_NET any -> [139.60.161.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200305; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 6025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200306; rev:1;)
alert tcp $HOME_NET any -> [45.125.239.253] 6204 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200307; rev:1;)
alert tcp $HOME_NET any -> [141.255.156.106] 6606 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200308; rev:1;)
alert tcp $HOME_NET any -> [95.211.140.160] 8514 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200309; rev:1;)
alert tcp $HOME_NET any -> [45.125.239.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200310; rev:1;)
alert tcp $HOME_NET any -> [185.141.61.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200311; rev:1;)
alert tcp $HOME_NET any -> [78.108.185.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200312; rev:1;)
alert tcp $HOME_NET any -> [31.49.13.58] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200313; rev:1;)
alert tcp $HOME_NET any -> [89.33.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200314; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.231] 2424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200315; rev:1;)
alert tcp $HOME_NET any -> [84.51.52.166] 2 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200316; rev:1;)
alert tcp $HOME_NET any -> [84.51.52.166] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200317; rev:1;)
alert tcp $HOME_NET any -> [176.32.35.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200318; rev:1;)
alert tcp $HOME_NET any -> [45.147.229.106] 8720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200319; rev:1;)
alert tcp $HOME_NET any -> [91.218.65.24] 6178 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200320; rev:1;)
alert tcp $HOME_NET any -> [91.218.65.24] 7777 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200321; rev:1;)
alert tcp $HOME_NET any -> [84.51.52.166] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200322; rev:1;)
alert tcp $HOME_NET any -> [69.133.56.83] 444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200323; rev:1;)
alert tcp $HOME_NET any -> [41.103.199.216] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200324; rev:1;)
alert tcp $HOME_NET any -> [176.57.215.142] 443 (msg:"SSLBL: Traffic to malicious host (likely KPOTStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200325; rev:1;)
alert tcp $HOME_NET any -> [184.164.139.226] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200326; rev:1;)
alert tcp $HOME_NET any -> [5.188.9.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200327; rev:1;)
alert tcp $HOME_NET any -> [51.75.154.242] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200328; rev:1;)
alert tcp $HOME_NET any -> [185.101.93.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200329; rev:1;)
alert tcp $HOME_NET any -> [37.228.132.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200330; rev:1;)
alert tcp $HOME_NET any -> [195.69.187.142] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200331; rev:1;)
alert tcp $HOME_NET any -> [192.95.20.152] 443 (msg:"SSLBL: Traffic to malicious host (likely BlueBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200332; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200333; rev:1;)
alert tcp $HOME_NET any -> [195.123.224.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200334; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.235] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200335; rev:1;)
alert tcp $HOME_NET any -> [47.74.63.135] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200336; rev:1;)
alert tcp $HOME_NET any -> [8.208.28.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200337; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.212] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200338; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.175] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200339; rev:1;)
alert tcp $HOME_NET any -> [192.227.231.18] 1921 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200340; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.165] 3434 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200341; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200342; rev:1;)
alert tcp $HOME_NET any -> [37.72.175.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200343; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.143] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200344; rev:1;)
alert tcp $HOME_NET any -> [46.21.147.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200345; rev:1;)
alert tcp $HOME_NET any -> [37.221.114.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200346; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.225] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200347; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.193] 6065 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200348; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.21] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200349; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200350; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200351; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200352; rev:1;)
alert tcp $HOME_NET any -> [185.70.186.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200353; rev:1;)
alert tcp $HOME_NET any -> [216.38.8.168] 3856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200354; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.6] 5934 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200355; rev:1;)
alert tcp $HOME_NET any -> [194.33.45.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200356; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 3232 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200357; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.137] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200358; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.111] 20804 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200359; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.137] 9996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200360; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.71] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200361; rev:1;)
alert tcp $HOME_NET any -> [196.229.250.239] 3000 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200362; rev:1;)
alert tcp $HOME_NET any -> [88.150.189.98] 1903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200363; rev:1;)
alert tcp $HOME_NET any -> [88.150.189.98] 9956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200364; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.14] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200365; rev:1;)
alert tcp $HOME_NET any -> [43.226.229.83] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200366; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 4028 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200367; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.21] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200368; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.145] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200369; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200370; rev:1;)
alert tcp $HOME_NET any -> [91.215.169.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200371; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.228] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200372; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 2034 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200373; rev:1;)
alert tcp $HOME_NET any -> [134.19.179.187] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200374; rev:1;)
alert tcp $HOME_NET any -> [43.226.229.110] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200375; rev:1;)
alert tcp $HOME_NET any -> [45.128.133.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200376; rev:1;)
alert tcp $HOME_NET any -> [82.64.128.42] 5502 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200377; rev:1;)
alert tcp $HOME_NET any -> [82.64.128.42] 5501 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200378; rev:1;)
alert tcp $HOME_NET any -> [84.38.133.132] 3202 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200379; rev:1;)
alert tcp $HOME_NET any -> [184.75.223.219] 32741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200380; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.239] 2091 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200381; rev:1;)
alert tcp $HOME_NET any -> [172.94.100.10] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200382; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 2022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200383; rev:1;)
alert tcp $HOME_NET any -> [64.225.74.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200384; rev:1;)
alert tcp $HOME_NET any -> [67.43.224.156] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200385; rev:1;)
alert tcp $HOME_NET any -> [144.217.211.203] 1855 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200386; rev:1;)
alert tcp $HOME_NET any -> [141.255.147.132] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200387; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.13] 7250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200388; rev:1;)
alert tcp $HOME_NET any -> [184.75.223.235] 3460 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200389; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.17] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200390; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200391; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.109] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200392; rev:1;)
alert tcp $HOME_NET any -> [69.65.7.136] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200393; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.101] 7872 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200394; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.10] 1199 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200395; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.99] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200396; rev:1;)
alert tcp $HOME_NET any -> [198.46.141.251] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200397; rev:1;)
alert tcp $HOME_NET any -> [128.199.57.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200398; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200399; rev:1;)
alert tcp $HOME_NET any -> [47.252.2.199] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200400; rev:1;)
alert tcp $HOME_NET any -> [168.235.111.253] 56453 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200401; rev:1;)
alert tcp $HOME_NET any -> [185.136.163.128] 2020 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200402; rev:1;)
alert tcp $HOME_NET any -> [60.51.99.42] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200403; rev:1;)
alert tcp $HOME_NET any -> [212.114.52.84] 2803 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200404; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.60] 7071 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200405; rev:1;)
alert tcp $HOME_NET any -> [185.243.242.116] 7766 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200406; rev:1;)
alert tcp $HOME_NET any -> [111.90.142.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200407; rev:1;)
alert tcp $HOME_NET any -> [13.224.102.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200408; rev:1;)
alert tcp $HOME_NET any -> [185.183.96.231] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200409; rev:1;)
alert tcp $HOME_NET any -> [176.31.88.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200410; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.223] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200411; rev:1;)
alert tcp $HOME_NET any -> [95.213.195.71] 1788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200412; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.29] 2128 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200413; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.5] 1369 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200414; rev:1;)
alert tcp $HOME_NET any -> [37.72.175.233] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200415; rev:1;)
alert tcp $HOME_NET any -> [185.203.236.236] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200416; rev:1;)
alert tcp $HOME_NET any -> [142.44.253.233] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200417; rev:1;)
alert tcp $HOME_NET any -> [45.74.53.124] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200418; rev:1;)
alert tcp $HOME_NET any -> [123.240.25.197] 1604 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200419; rev:1;)
alert tcp $HOME_NET any -> [185.86.4.70] 4785 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200420; rev:1;)
alert tcp $HOME_NET any -> [142.147.97.150] 6084 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200421; rev:1;)
alert tcp $HOME_NET any -> [195.123.246.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200422; rev:1;)
alert tcp $HOME_NET any -> [185.159.82.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200423; rev:1;)
alert tcp $HOME_NET any -> [45.89.230.124] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200424; rev:1;)
alert tcp $HOME_NET any -> [47.241.27.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200425; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200426; rev:1;)
alert tcp $HOME_NET any -> [185.203.236.237] 6683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200427; rev:1;)
alert tcp $HOME_NET any -> [35.192.205.70] 6969 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200428; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.147] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200429; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.154] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200430; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.99] 20908 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200431; rev:1;)
alert tcp $HOME_NET any -> [192.3.2.150] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200432; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.97] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200433; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.154] 7201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200434; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.29] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200435; rev:1;)
alert tcp $HOME_NET any -> [118.100.66.100] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200436; rev:1;)
alert tcp $HOME_NET any -> [95.213.195.71] 17171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200437; rev:1;)
alert tcp $HOME_NET any -> [79.186.190.12] 1080 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200438; rev:1;)
alert tcp $HOME_NET any -> [212.162.150.118] 6874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200439; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200440; rev:1;)
alert tcp $HOME_NET any -> [45.147.200.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200441; rev:1;)
alert tcp $HOME_NET any -> [46.21.144.10] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200442; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.56] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200443; rev:1;)
alert tcp $HOME_NET any -> [195.123.246.12] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200444; rev:1;)
alert tcp $HOME_NET any -> [167.99.11.50] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200445; rev:1;)
alert tcp $HOME_NET any -> [23.95.94.154] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200446; rev:1;)
alert tcp $HOME_NET any -> [91.189.180.195] 7618 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200447; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.56] 2030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200448; rev:1;)
alert tcp $HOME_NET any -> [37.120.140.165] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200449; rev:1;)
alert tcp $HOME_NET any -> [185.154.21.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200450; rev:1;)
alert tcp $HOME_NET any -> [45.66.250.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200451; rev:1;)
alert tcp $HOME_NET any -> [82.118.22.9] 8085 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200452; rev:1;)
alert tcp $HOME_NET any -> [210.183.117.215] 6124 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200453; rev:1;)
alert tcp $HOME_NET any -> [193.32.188.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200454; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.42] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200455; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.42] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200456; rev:1;)
alert tcp $HOME_NET any -> [175.141.217.222] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200457; rev:1;)
alert tcp $HOME_NET any -> [45.140.169.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200458; rev:1;)
alert tcp $HOME_NET any -> [47.245.30.255] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200459; rev:1;)
alert tcp $HOME_NET any -> [149.167.94.36] 10196 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200460; rev:1;)
alert tcp $HOME_NET any -> [23.81.246.113] 6059 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200461; rev:1;)
alert tcp $HOME_NET any -> [139.99.122.112] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200462; rev:1;)
alert tcp $HOME_NET any -> [190.97.162.37] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200463; rev:1;)
alert tcp $HOME_NET any -> [204.152.201.172] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200464; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.10] 6050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200465; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200466; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200467; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.227] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200468; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.25] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200469; rev:1;)
alert tcp $HOME_NET any -> [217.29.57.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200470; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.108] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200471; rev:1;)
alert tcp $HOME_NET any -> [92.38.184.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200472; rev:1;)
alert tcp $HOME_NET any -> [41.46.250.43] 8080 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200473; rev:1;)
alert tcp $HOME_NET any -> [82.192.82.102] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200474; rev:1;)
alert tcp $HOME_NET any -> [167.172.164.197] 8443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200475; rev:1;)
alert tcp $HOME_NET any -> [91.215.169.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200476; rev:1;)
alert tcp $HOME_NET any -> [43.226.229.82] 5288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200477; rev:1;)
alert tcp $HOME_NET any -> [104.129.27.166] 5210 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200478; rev:1;)
alert tcp $HOME_NET any -> [144.168.239.42] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200479; rev:1;)
alert tcp $HOME_NET any -> [64.225.20.238] 2030 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200480; rev:1;)
alert tcp $HOME_NET any -> [82.64.128.42] 6613 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200481; rev:1;)
alert tcp $HOME_NET any -> [13.225.78.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200482; rev:1;)
alert tcp $HOME_NET any -> [51.83.200.181] 1337 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200483; rev:1;)
alert tcp $HOME_NET any -> [111.90.156.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200484; rev:1;)
alert tcp $HOME_NET any -> [217.146.88.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200485; rev:1;)
alert tcp $HOME_NET any -> [185.176.222.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200486; rev:1;)
alert tcp $HOME_NET any -> [192.119.71.129] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200487; rev:1;)
alert tcp $HOME_NET any -> [151.248.126.195] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200488; rev:1;)
alert tcp $HOME_NET any -> [185.10.68.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200489; rev:1;)
alert tcp $HOME_NET any -> [176.107.160.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200490; rev:1;)
alert tcp $HOME_NET any -> [181.141.0.182] 1898 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200491; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.74] 6970 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200492; rev:1;)
alert tcp $HOME_NET any -> [185.209.20.124] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200493; rev:1;)
alert tcp $HOME_NET any -> [115.134.230.49] 4424 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200494; rev:1;)
alert tcp $HOME_NET any -> [95.211.140.172] 6687 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200495; rev:1;)
alert tcp $HOME_NET any -> [108.62.141.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200496; rev:1;)
alert tcp $HOME_NET any -> [82.64.128.42] 6617 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200497; rev:1;)
alert tcp $HOME_NET any -> [185.158.154.218] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200498; rev:1;)
alert tcp $HOME_NET any -> [85.143.222.85] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200499; rev:1;)
alert tcp $HOME_NET any -> [47.244.208.18] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200500; rev:1;)
alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200501; rev:1;)
alert tcp $HOME_NET any -> [91.215.169.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200502; rev:1;)
alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200503; rev:1;)
alert tcp $HOME_NET any -> [176.107.160.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200504; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.143] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200505; rev:1;)
alert tcp $HOME_NET any -> [47.252.11.17] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200506; rev:1;)
alert tcp $HOME_NET any -> [148.72.172.101] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200507; rev:1;)
alert tcp $HOME_NET any -> [176.107.160.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200508; rev:1;)
alert tcp $HOME_NET any -> [190.211.254.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200509; rev:1;)
alert tcp $HOME_NET any -> [193.164.150.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200510; rev:1;)
alert tcp $HOME_NET any -> [111.90.156.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200511; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200512; rev:1;)
alert tcp $HOME_NET any -> [195.123.222.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200513; rev:1;)
alert tcp $HOME_NET any -> [193.233.149.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200514; rev:1;)
alert tcp $HOME_NET any -> [188.127.230.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200515; rev:1;)
alert tcp $HOME_NET any -> [49.51.136.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200516; rev:1;)
alert tcp $HOME_NET any -> [46.166.173.155] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200517; rev:1;)
alert tcp $HOME_NET any -> [5.63.154.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200518; rev:1;)
alert tcp $HOME_NET any -> [95.217.17.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200519; rev:1;)
alert tcp $HOME_NET any -> [209.127.19.34] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200520; rev:1;)
alert tcp $HOME_NET any -> [134.0.118.45] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200521; rev:1;)
alert tcp $HOME_NET any -> [216.170.126.139] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200522; rev:1;)
alert tcp $HOME_NET any -> [45.139.186.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200523; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200524; rev:1;)
alert tcp $HOME_NET any -> [144.202.5.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200525; rev:1;)
alert tcp $HOME_NET any -> [179.155.124.71] 15000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200526; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.11] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200527; rev:1;)
alert tcp $HOME_NET any -> [192.3.2.152] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200528; rev:1;)
alert tcp $HOME_NET any -> [216.218.185.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200529; rev:1;)
alert tcp $HOME_NET any -> [45.128.184.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200530; rev:1;)
alert tcp $HOME_NET any -> [80.85.158.73] 7768 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200531; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.194] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200532; rev:1;)
alert tcp $HOME_NET any -> [185.163.47.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200533; rev:1;)
alert tcp $HOME_NET any -> [49.51.154.98] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200534; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200535; rev:1;)
alert tcp $HOME_NET any -> [194.127.179.82] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200536; rev:1;)
alert tcp $HOME_NET any -> [79.174.13.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200537; rev:1;)
alert tcp $HOME_NET any -> [109.248.222.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200538; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200539; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200540; rev:1;)
alert tcp $HOME_NET any -> [37.252.1.57] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200541; rev:1;)
alert tcp $HOME_NET any -> [188.120.241.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200542; rev:1;)
alert tcp $HOME_NET any -> [188.127.227.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200543; rev:1;)
alert tcp $HOME_NET any -> [95.169.181.90] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200544; rev:1;)
alert tcp $HOME_NET any -> [194.58.98.72] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200545; rev:1;)
alert tcp $HOME_NET any -> [45.129.2.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200546; rev:1;)
alert tcp $HOME_NET any -> [176.103.62.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200547; rev:1;)
alert tcp $HOME_NET any -> [37.48.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200548; rev:1;)
alert tcp $HOME_NET any -> [141.255.154.30] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200549; rev:1;)
alert tcp $HOME_NET any -> [45.72.3.132] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200550; rev:1;)
alert tcp $HOME_NET any -> [194.67.105.88] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200551; rev:1;)
alert tcp $HOME_NET any -> [198.54.125.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200552; rev:1;)
alert tcp $HOME_NET any -> [108.174.198.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200553; rev:1;)
alert tcp $HOME_NET any -> [185.189.68.74] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200554; rev:1;)
alert tcp $HOME_NET any -> [95.217.99.22] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200555; rev:1;)
alert tcp $HOME_NET any -> [95.211.170.231] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200556; rev:1;)
alert tcp $HOME_NET any -> [185.48.56.111] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200557; rev:1;)
alert tcp $HOME_NET any -> [69.30.240.82] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200558; rev:1;)
alert tcp $HOME_NET any -> [103.133.109.147] 4434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200559; rev:1;)
alert tcp $HOME_NET any -> [195.19.192.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200560; rev:1;)
alert tcp $HOME_NET any -> [45.86.182.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200561; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.45] 50572 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200562; rev:1;)
alert tcp $HOME_NET any -> [45.80.69.34] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200563; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.243] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200564; rev:1;)
alert tcp $HOME_NET any -> [185.202.174.36] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200565; rev:1;)
alert tcp $HOME_NET any -> [188.225.38.98] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200566; rev:1;)
alert tcp $HOME_NET any -> [62.76.179.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200567; rev:1;)
alert tcp $HOME_NET any -> [188.225.26.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200568; rev:1;)
alert tcp $HOME_NET any -> [45.140.168.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200569; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200570; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.217] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200571; rev:1;)
alert tcp $HOME_NET any -> [176.53.163.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200572; rev:1;)
alert tcp $HOME_NET any -> [172.247.227.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200573; rev:1;)
alert tcp $HOME_NET any -> [31.192.109.47] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200574; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.244] 2211 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200575; rev:1;)
alert tcp $HOME_NET any -> [104.27.181.27] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200576; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.82] 1112 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200577; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.217] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200578; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 1786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200579; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200580; rev:1;)
alert tcp $HOME_NET any -> [37.48.94.115] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200581; rev:1;)
alert tcp $HOME_NET any -> [193.233.78.25] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200582; rev:1;)
alert tcp $HOME_NET any -> [62.109.5.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200583; rev:1;)
alert tcp $HOME_NET any -> [83.166.250.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200584; rev:1;)
alert tcp $HOME_NET any -> [185.231.245.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200585; rev:1;)
alert tcp $HOME_NET any -> [185.180.196.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200586; rev:1;)
alert tcp $HOME_NET any -> [45.128.187.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200587; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200588; rev:1;)
alert tcp $HOME_NET any -> [46.8.208.36] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200589; rev:1;)
alert tcp $HOME_NET any -> [185.144.30.54] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200590; rev:1;)
alert tcp $HOME_NET any -> [134.0.116.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200591; rev:1;)
alert tcp $HOME_NET any -> [37.46.130.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200592; rev:1;)
alert tcp $HOME_NET any -> [74.36.14.147] 54984 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200593; rev:1;)
alert tcp $HOME_NET any -> [185.65.202.7] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200594; rev:1;)
alert tcp $HOME_NET any -> [195.69.187.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200595; rev:1;)
alert tcp $HOME_NET any -> [45.67.229.220] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200596; rev:1;)
alert tcp $HOME_NET any -> [94.103.82.31] 443 (msg:"SSLBL: Traffic to malicious host (likely CobInt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200597; rev:1;)
alert tcp $HOME_NET any -> [91.121.235.6] 1515 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200598; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.59] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200599; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.6] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200600; rev:1;)
alert tcp $HOME_NET any -> [45.143.138.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200601; rev:1;)
alert tcp $HOME_NET any -> [83.166.245.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200602; rev:1;)
alert tcp $HOME_NET any -> [91.214.119.30] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200603; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.12] 6036 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200604; rev:1;)
alert tcp $HOME_NET any -> [176.32.32.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200605; rev:1;)
alert tcp $HOME_NET any -> [185.117.155.48] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200606; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200607; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200608; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.222] 5200 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200609; rev:1;)
alert tcp $HOME_NET any -> [194.61.1.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200610; rev:1;)
alert tcp $HOME_NET any -> [46.29.161.246] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200611; rev:1;)
alert tcp $HOME_NET any -> [95.217.19.128] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200612; rev:1;)
alert tcp $HOME_NET any -> [149.154.159.226] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200613; rev:1;)
alert tcp $HOME_NET any -> [46.29.161.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200614; rev:1;)
alert tcp $HOME_NET any -> [185.61.154.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200615; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.47] 6234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200616; rev:1;)
alert tcp $HOME_NET any -> [83.166.242.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200617; rev:1;)
alert tcp $HOME_NET any -> [91.224.22.60] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200618; rev:1;)
alert tcp $HOME_NET any -> [141.105.64.132] 1606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200619; rev:1;)
alert tcp $HOME_NET any -> [54.255.139.136] 80 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200620; rev:1;)
alert tcp $HOME_NET any -> [84.54.187.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200621; rev:1;)
alert tcp $HOME_NET any -> [89.35.29.52] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200622; rev:1;)
alert tcp $HOME_NET any -> [119.31.127.51] 4444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200623; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.114] 5040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200624; rev:1;)
alert tcp $HOME_NET any -> [54.191.72.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200625; rev:1;)
alert tcp $HOME_NET any -> [193.109.69.17] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200626; rev:1;)
alert tcp $HOME_NET any -> [45.89.230.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200627; rev:1;)
alert tcp $HOME_NET any -> [77.222.63.110] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200628; rev:1;)
alert tcp $HOME_NET any -> [173.212.248.28] 8443 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200629; rev:1;)
alert tcp $HOME_NET any -> [216.38.2.206] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200630; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.60] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200631; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.27] 44985 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200632; rev:1;)
alert tcp $HOME_NET any -> [77.220.205.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200633; rev:1;)
alert tcp $HOME_NET any -> [45.139.236.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200634; rev:1;)
alert tcp $HOME_NET any -> [13.69.254.90] 77 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200635; rev:1;)
alert tcp $HOME_NET any -> [185.147.15.21] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200636; rev:1;)
alert tcp $HOME_NET any -> [185.130.104.152] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200637; rev:1;)
alert tcp $HOME_NET any -> [198.50.217.185] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200638; rev:1;)
alert tcp $HOME_NET any -> [45.67.231.175] 443 (msg:"SSLBL: Traffic to malicious host (likely TA505 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200639; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.92] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200640; rev:1;)
alert tcp $HOME_NET any -> [173.249.23.208] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200641; rev:1;)
alert tcp $HOME_NET any -> [185.174.172.99] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200642; rev:1;)
alert tcp $HOME_NET any -> [81.25.71.88] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200643; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.135] 7654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200644; rev:1;)
alert tcp $HOME_NET any -> [176.227.191.12] 25530 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200645; rev:1;)
alert tcp $HOME_NET any -> [2.91.161.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200646; rev:1;)
alert tcp $HOME_NET any -> [5.61.40.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200647; rev:1;)
alert tcp $HOME_NET any -> [185.118.165.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200648; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.76] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200649; rev:1;)
alert tcp $HOME_NET any -> [176.32.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200650; rev:1;)
alert tcp $HOME_NET any -> [45.144.3.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200651; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.79] 204 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200652; rev:1;)
alert tcp $HOME_NET any -> [51.77.225.5] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200653; rev:1;)
alert tcp $HOME_NET any -> [85.217.171.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200654; rev:1;)
alert tcp $HOME_NET any -> [37.252.10.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200655; rev:1;)
alert tcp $HOME_NET any -> [185.130.104.240] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200656; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200657; rev:1;)
alert tcp $HOME_NET any -> [95.110.224.103] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200658; rev:1;)
alert tcp $HOME_NET any -> [83.220.175.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200659; rev:1;)
alert tcp $HOME_NET any -> [91.218.65.24] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200660; rev:1;)
alert tcp $HOME_NET any -> [190.1.237.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200661; rev:1;)
alert tcp $HOME_NET any -> [185.113.141.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200662; rev:1;)
alert tcp $HOME_NET any -> [195.228.41.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200663; rev:1;)
alert tcp $HOME_NET any -> [37.75.61.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200664; rev:1;)
alert tcp $HOME_NET any -> [94.103.82.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200665; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.78] 4811 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200666; rev:1;)
alert tcp $HOME_NET any -> [51.83.18.78] 4358 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200667; rev:1;)
alert tcp $HOME_NET any -> [93.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200668; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.199] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200669; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.90] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200670; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.175] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200671; rev:1;)
alert tcp $HOME_NET any -> [213.208.152.216] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200672; rev:1;)
alert tcp $HOME_NET any -> [45.144.2.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200673; rev:1;)
alert tcp $HOME_NET any -> [193.29.15.147] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200674; rev:1;)
alert tcp $HOME_NET any -> [185.157.245.59] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200675; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.75] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200676; rev:1;)
alert tcp $HOME_NET any -> [138.201.6.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200677; rev:1;)
alert tcp $HOME_NET any -> [5.188.108.58] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200678; rev:1;)
alert tcp $HOME_NET any -> [194.67.86.241] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200679; rev:1;)
alert tcp $HOME_NET any -> [85.143.219.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200680; rev:1;)
alert tcp $HOME_NET any -> [47.111.114.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200681; rev:1;)
alert tcp $HOME_NET any -> [194.58.123.243] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200682; rev:1;)
alert tcp $HOME_NET any -> [91.77.167.80] 18000 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200683; rev:1;)
alert tcp $HOME_NET any -> [45.128.186.79] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200684; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200685; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200686; rev:1;)
alert tcp $HOME_NET any -> [91.230.60.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200687; rev:1;)
alert tcp $HOME_NET any -> [185.253.219.43] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200688; rev:1;)
alert tcp $HOME_NET any -> [51.77.225.5] 1960 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200689; rev:1;)
alert tcp $HOME_NET any -> [84.38.129.162] 5555 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200690; rev:1;)
alert tcp $HOME_NET any -> [188.72.115.200] 24007 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200691; rev:1;)
alert tcp $HOME_NET any -> [185.118.66.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200692; rev:1;)
alert tcp $HOME_NET any -> [90.96.187.205] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200693; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200694; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.150] 4922 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200695; rev:1;)
alert tcp $HOME_NET any -> [45.144.2.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200696; rev:1;)
alert tcp $HOME_NET any -> [95.213.139.105] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200697; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.136] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200698; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.193] 83 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200699; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.222] 79 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200700; rev:1;)
alert tcp $HOME_NET any -> [95.213.195.71] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200701; rev:1;)
alert tcp $HOME_NET any -> [45.147.200.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200702; rev:1;)
alert tcp $HOME_NET any -> [45.142.214.21] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200703; rev:1;)
alert tcp $HOME_NET any -> [185.156.177.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TinyNuke C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200704; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.123] 3930 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200705; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.62] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200706; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.27] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200707; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.199] 3999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200708; rev:1;)
alert tcp $HOME_NET any -> [194.165.3.1] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200709; rev:1;)
alert tcp $HOME_NET any -> [217.182.188.118] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200710; rev:1;)
alert tcp $HOME_NET any -> [212.7.208.72] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200711; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.151] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200712; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.122] 5050 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200713; rev:1;)
alert tcp $HOME_NET any -> [103.125.191.106] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200714; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200715; rev:1;)
alert tcp $HOME_NET any -> [199.19.224.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200716; rev:1;)
alert tcp $HOME_NET any -> [91.214.71.123] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200717; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.28] 20131 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200718; rev:1;)
alert tcp $HOME_NET any -> [185.130.104.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Ostap C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200719; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.104] 7562 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200720; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.150] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200721; rev:1;)
alert tcp $HOME_NET any -> [81.25.71.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200722; rev:1;)
alert tcp $HOME_NET any -> [210.123.126.60] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200723; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.118] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200724; rev:1;)
alert tcp $HOME_NET any -> [185.159.82.18] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200725; rev:1;)
alert tcp $HOME_NET any -> [195.69.187.132] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200726; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.119] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200727; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.104] 4430 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200728; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.86] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200729; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.83] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200730; rev:1;)
alert tcp $HOME_NET any -> [83.166.246.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200731; rev:1;)
alert tcp $HOME_NET any -> [45.129.2.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200732; rev:1;)
alert tcp $HOME_NET any -> [193.56.28.57] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200733; rev:1;)
alert tcp $HOME_NET any -> [45.140.169.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200734; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200735; rev:1;)
alert tcp $HOME_NET any -> [77.222.55.71] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200736; rev:1;)
alert tcp $HOME_NET any -> [185.222.202.74] 5760 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200737; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.211] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200738; rev:1;)
alert tcp $HOME_NET any -> [185.163.47.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200739; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.95] 43 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200740; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.99] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200741; rev:1;)
alert tcp $HOME_NET any -> [194.67.194.182] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200742; rev:1;)
alert tcp $HOME_NET any -> [5.101.88.49] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200743; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.107] 4145 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200744; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200745; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.103] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200746; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.121] 7442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200747; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200748; rev:1;)
alert tcp $HOME_NET any -> [91.92.128.232] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200749; rev:1;)
alert tcp $HOME_NET any -> [185.177.59.229] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200750; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200751; rev:1;)
alert tcp $HOME_NET any -> [45.140.168.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200752; rev:1;)
alert tcp $HOME_NET any -> [185.36.81.60] 1474 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200753; rev:1;)
alert tcp $HOME_NET any -> [185.227.82.51] 4070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200754; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200755; rev:1;)
alert tcp $HOME_NET any -> [185.163.47.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200756; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200757; rev:1;)
alert tcp $HOME_NET any -> [82.146.39.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200758; rev:1;)
alert tcp $HOME_NET any -> [178.63.132.28] 1634 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200759; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.151] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200760; rev:1;)
alert tcp $HOME_NET any -> [89.223.100.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200761; rev:1;)
alert tcp $HOME_NET any -> [92.53.71.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200762; rev:1;)
alert tcp $HOME_NET any -> [46.21.253.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200763; rev:1;)
alert tcp $HOME_NET any -> [85.143.218.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200764; rev:1;)
alert tcp $HOME_NET any -> [85.217.171.167] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200765; rev:1;)
alert tcp $HOME_NET any -> [46.249.62.203] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200766; rev:1;)
alert tcp $HOME_NET any -> [2.57.89.47] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200767; rev:1;)
alert tcp $HOME_NET any -> [45.132.19.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware.Nemty C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200768; rev:1;)
alert tcp $HOME_NET any -> [151.80.241.113] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200769; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.95] 6460 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200770; rev:1;)
alert tcp $HOME_NET any -> [193.0.61.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200771; rev:1;)
alert tcp $HOME_NET any -> [185.253.218.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200772; rev:1;)
alert tcp $HOME_NET any -> [192.99.211.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200773; rev:1;)
alert tcp $HOME_NET any -> [172.94.88.81] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200774; rev:1;)
alert tcp $HOME_NET any -> [94.103.94.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200775; rev:1;)
alert tcp $HOME_NET any -> [195.19.192.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200776; rev:1;)
alert tcp $HOME_NET any -> [91.203.5.180] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200777; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.11] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200778; rev:1;)
alert tcp $HOME_NET any -> [185.105.236.161] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200779; rev:1;)
alert tcp $HOME_NET any -> [66.154.97.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200780; rev:1;)
alert tcp $HOME_NET any -> [154.83.15.174] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200781; rev:1;)
alert tcp $HOME_NET any -> [104.248.149.132] 4789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200782; rev:1;)
alert tcp $HOME_NET any -> [173.212.204.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200783; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.46] 32765 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200784; rev:1;)
alert tcp $HOME_NET any -> [84.38.129.30] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200785; rev:1;)
alert tcp $HOME_NET any -> [89.249.65.168] 2025 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200786; rev:1;)
alert tcp $HOME_NET any -> [85.217.171.52] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200787; rev:1;)
alert tcp $HOME_NET any -> [31.41.44.65] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200788; rev:1;)
alert tcp $HOME_NET any -> [37.48.92.195] 1218 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200789; rev:1;)
alert tcp $HOME_NET any -> [185.36.81.51] 6008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200790; rev:1;)
alert tcp $HOME_NET any -> [89.249.65.210] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200791; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.81] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200792; rev:1;)
alert tcp $HOME_NET any -> [51.83.78.85] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200793; rev:1;)
alert tcp $HOME_NET any -> [81.16.141.25] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200794; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200795; rev:1;)
alert tcp $HOME_NET any -> [188.127.230.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200796; rev:1;)
alert tcp $HOME_NET any -> [194.67.91.222] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200797; rev:1;)
alert tcp $HOME_NET any -> [45.141.102.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200798; rev:1;)
alert tcp $HOME_NET any -> [185.193.141.252] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200799; rev:1;)
alert tcp $HOME_NET any -> [157.245.132.240] 8888 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200800; rev:1;)
alert tcp $HOME_NET any -> [190.1.245.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200801; rev:1;)
alert tcp $HOME_NET any -> [45.67.57.184] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200802; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200803; rev:1;)
alert tcp $HOME_NET any -> [103.125.191.152] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200804; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.114] 5060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200805; rev:1;)
alert tcp $HOME_NET any -> [51.75.128.158] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200806; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.70] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200807; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200808; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 31447 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200809; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.96] 5665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200810; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200811; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.116] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200812; rev:1;)
alert tcp $HOME_NET any -> [194.67.202.117] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200813; rev:1;)
alert tcp $HOME_NET any -> [195.206.106.220] 1899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200814; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.74] 3050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200815; rev:1;)
alert tcp $HOME_NET any -> [85.143.221.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200816; rev:1;)
alert tcp $HOME_NET any -> [185.203.116.78] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200817; rev:1;)
alert tcp $HOME_NET any -> [5.135.67.231] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200818; rev:1;)
alert tcp $HOME_NET any -> [188.120.229.38] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200819; rev:1;)
alert tcp $HOME_NET any -> [134.119.177.108] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200820; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200821; rev:1;)
alert tcp $HOME_NET any -> [119.29.177.237] 8088 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200822; rev:1;)
alert tcp $HOME_NET any -> [195.133.1.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200823; rev:1;)
alert tcp $HOME_NET any -> [194.67.78.102] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200824; rev:1;)
alert tcp $HOME_NET any -> [109.196.164.75] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200825; rev:1;)
alert tcp $HOME_NET any -> [93.190.93.175] 4040 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200826; rev:1;)
alert tcp $HOME_NET any -> [185.193.141.59] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200827; rev:1;)
alert tcp $HOME_NET any -> [46.249.59.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200828; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.90] 4782 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200829; rev:1;)
alert tcp $HOME_NET any -> [107.182.187.115] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200830; rev:1;)
alert tcp $HOME_NET any -> [85.143.216.198] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200831; rev:1;)
alert tcp $HOME_NET any -> [85.143.223.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200832; rev:1;)
alert tcp $HOME_NET any -> [192.3.204.165] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200833; rev:1;)
alert tcp $HOME_NET any -> [180.245.57.42] 6606 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200834; rev:1;)
alert tcp $HOME_NET any -> [194.87.238.60] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200835; rev:1;)
alert tcp $HOME_NET any -> [62.173.145.225] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200836; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200837; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.76] 8881 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200838; rev:1;)
alert tcp $HOME_NET any -> [172.82.128.243] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200839; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.71] 7390 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200840; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.88] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200841; rev:1;)
alert tcp $HOME_NET any -> [109.234.39.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200842; rev:1;)
alert tcp $HOME_NET any -> [80.78.240.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200843; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.48] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200844; rev:1;)
alert tcp $HOME_NET any -> [45.129.2.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200845; rev:1;)
alert tcp $HOME_NET any -> [176.113.82.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200846; rev:1;)
alert tcp $HOME_NET any -> [45.128.204.95] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200847; rev:1;)
alert tcp $HOME_NET any -> [85.143.223.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200848; rev:1;)
alert tcp $HOME_NET any -> [149.154.71.176] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200849; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.115] 4404 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200850; rev:1;)
alert tcp $HOME_NET any -> [85.143.217.217] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200851; rev:1;)
alert tcp $HOME_NET any -> [45.141.103.221] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200852; rev:1;)
alert tcp $HOME_NET any -> [141.255.156.100] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200853; rev:1;)
alert tcp $HOME_NET any -> [159.246.29.124] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200854; rev:1;)
alert tcp $HOME_NET any -> [185.31.160.32] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200855; rev:1;)
alert tcp $HOME_NET any -> [85.143.218.97] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200856; rev:1;)
alert tcp $HOME_NET any -> [194.67.222.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200857; rev:1;)
alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200858; rev:1;)
alert tcp $HOME_NET any -> [194.67.78.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200859; rev:1;)
alert tcp $HOME_NET any -> [194.58.108.187] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200860; rev:1;)
alert tcp $HOME_NET any -> [82.146.57.135] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200861; rev:1;)
alert tcp $HOME_NET any -> [185.31.160.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200862; rev:1;)
alert tcp $HOME_NET any -> [62.173.140.58] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200863; rev:1;)
alert tcp $HOME_NET any -> [195.128.126.234] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200864; rev:1;)
alert tcp $HOME_NET any -> [89.108.64.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200865; rev:1;)
alert tcp $HOME_NET any -> [185.173.178.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200866; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.169] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200867; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.72] 1819 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200868; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.11] 1199 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200869; rev:1;)
alert tcp $HOME_NET any -> [62.109.17.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200870; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Bolek C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200871; rev:1;)
alert tcp $HOME_NET any -> [45.88.78.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200872; rev:1;)
alert tcp $HOME_NET any -> [51.91.175.220] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200873; rev:1;)
alert tcp $HOME_NET any -> [110.141.230.15] 10134 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200874; rev:1;)
alert tcp $HOME_NET any -> [74.208.64.187] 3389 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200875; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.75] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200876; rev:1;)
alert tcp $HOME_NET any -> [85.114.136.176] 4558 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200877; rev:1;)
alert tcp $HOME_NET any -> [185.177.59.98] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200878; rev:1;)
alert tcp $HOME_NET any -> [212.109.218.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200879; rev:1;)
alert tcp $HOME_NET any -> [185.41.161.200] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200880; rev:1;)
alert tcp $HOME_NET any -> [85.143.216.250] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200881; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.33] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200882; rev:1;)
alert tcp $HOME_NET any -> [74.124.24.29] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200883; rev:1;)
alert tcp $HOME_NET any -> [193.124.117.45] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200884; rev:1;)
alert tcp $HOME_NET any -> [185.94.191.37] 5201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200885; rev:1;)
alert tcp $HOME_NET any -> [85.143.216.89] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200886; rev:1;)
alert tcp $HOME_NET any -> [195.133.147.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200887; rev:1;)
alert tcp $HOME_NET any -> [184.164.139.213] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200888; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200889; rev:1;)
alert tcp $HOME_NET any -> [179.60.144.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200890; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.119] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200891; rev:1;)
alert tcp $HOME_NET any -> [185.157.161.147] 65301 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200892; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.92] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200893; rev:1;)
alert tcp $HOME_NET any -> [91.92.128.188] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200894; rev:1;)
alert tcp $HOME_NET any -> [109.234.34.133] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200895; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.163] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200896; rev:1;)
alert tcp $HOME_NET any -> [185.193.141.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200897; rev:1;)
alert tcp $HOME_NET any -> [194.67.209.128] 1029 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200898; rev:1;)
alert tcp $HOME_NET any -> [5.39.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200899; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 44611 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200900; rev:1;)
alert tcp $HOME_NET any -> [85.217.171.237] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200901; rev:1;)
alert tcp $HOME_NET any -> [77.73.69.39] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200902; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.199] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200903; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200904; rev:1;)
alert tcp $HOME_NET any -> [66.154.102.118] 9412 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200905; rev:1;)
alert tcp $HOME_NET any -> [77.83.174.121] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200906; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200907; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.60] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200908; rev:1;)
alert tcp $HOME_NET any -> [177.133.246.134] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200909; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200910; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.175] 443 (msg:"SSLBL: Traffic to malicious host (likely ServHelper C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200911; rev:1;)
alert tcp $HOME_NET any -> [172.111.250.235] 6601 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200912; rev:1;)
alert tcp $HOME_NET any -> [46.4.167.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200913; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.146] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200914; rev:1;)
alert tcp $HOME_NET any -> [89.223.94.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200915; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.84] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200916; rev:1;)
alert tcp $HOME_NET any -> [178.156.202.242] 2050 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200917; rev:1;)
alert tcp $HOME_NET any -> [3.14.212.173] 10836 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200918; rev:1;)
alert tcp $HOME_NET any -> [185.203.117.118] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200919; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200920; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200921; rev:1;)
alert tcp $HOME_NET any -> [82.146.34.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200922; rev:1;)
alert tcp $HOME_NET any -> [31.220.43.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200923; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200924; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.161] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200925; rev:1;)
alert tcp $HOME_NET any -> [46.249.59.119] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200926; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.121] 9992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200927; rev:1;)
alert tcp $HOME_NET any -> [94.156.35.241] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200928; rev:1;)
alert tcp $HOME_NET any -> [104.168.197.211] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200929; rev:1;)
alert tcp $HOME_NET any -> [45.61.49.107] 2444 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200930; rev:1;)
alert tcp $HOME_NET any -> [185.159.129.138] 443 (msg:"SSLBL: Traffic to malicious host (likely PsiXBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200931; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.4] 1997 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200932; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.145] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200933; rev:1;)
alert tcp $HOME_NET any -> [46.21.153.72] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200934; rev:1;)
alert tcp $HOME_NET any -> [197.255.225.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200935; rev:1;)
alert tcp $HOME_NET any -> [188.227.212.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200936; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.180] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200937; rev:1;)
alert tcp $HOME_NET any -> [81.16.141.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200938; rev:1;)
alert tcp $HOME_NET any -> [213.208.152.205] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200939; rev:1;)
alert tcp $HOME_NET any -> [185.61.138.206] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200940; rev:1;)
alert tcp $HOME_NET any -> [37.75.34.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200941; rev:1;)
alert tcp $HOME_NET any -> [176.227.191.12] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200942; rev:1;)
alert tcp $HOME_NET any -> [177.133.239.37] 6606 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200943; rev:1;)
alert tcp $HOME_NET any -> [91.148.141.76] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200944; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200945; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200946; rev:1;)
alert tcp $HOME_NET any -> [192.99.135.121] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200947; rev:1;)
alert tcp $HOME_NET any -> [109.185.156.241] 5555 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200948; rev:1;)
alert tcp $HOME_NET any -> [213.188.152.96] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200949; rev:1;)
alert tcp $HOME_NET any -> [91.132.139.145] 5020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200950; rev:1;)
alert tcp $HOME_NET any -> [72.44.80.19] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200951; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200952; rev:1;)
alert tcp $HOME_NET any -> [161.129.67.135] 6722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200953; rev:1;)
alert tcp $HOME_NET any -> [189.47.95.154] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200954; rev:1;)
alert tcp $HOME_NET any -> [51.75.17.4] 10135 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200955; rev:1;)
alert tcp $HOME_NET any -> [78.138.107.12] 7779 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200956; rev:1;)
alert tcp $HOME_NET any -> [46.17.46.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200957; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.219] 58030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200958; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.24] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200959; rev:1;)
alert tcp $HOME_NET any -> [103.87.48.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200960; rev:1;)
alert tcp $HOME_NET any -> [185.217.1.185] 911 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200961; rev:1;)
alert tcp $HOME_NET any -> [45.74.1.12] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200962; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.191] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200963; rev:1;)
alert tcp $HOME_NET any -> [45.227.255.117] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200964; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200965; rev:1;)
alert tcp $HOME_NET any -> [138.121.24.78] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200966; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.96] 1040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200967; rev:1;)
alert tcp $HOME_NET any -> [185.222.57.157] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200968; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.69] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200969; rev:1;)
alert tcp $HOME_NET any -> [200.171.231.146] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200970; rev:1;)
alert tcp $HOME_NET any -> [185.217.1.151] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200971; rev:1;)
alert tcp $HOME_NET any -> [168.227.229.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200972; rev:1;)
alert tcp $HOME_NET any -> [193.56.28.172] 1944 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200973; rev:1;)
alert tcp $HOME_NET any -> [51.75.154.197] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200974; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.177] 6776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200975; rev:1;)
alert tcp $HOME_NET any -> [64.44.42.148] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200976; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.53] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200977; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.5] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200978; rev:1;)
alert tcp $HOME_NET any -> [131.0.142.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200979; rev:1;)
alert tcp $HOME_NET any -> [185.186.244.99] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200980; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.128] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200981; rev:1;)
alert tcp $HOME_NET any -> [177.8.172.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200982; rev:1;)
alert tcp $HOME_NET any -> [45.89.230.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200983; rev:1;)
alert tcp $HOME_NET any -> [187.74.75.191] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200984; rev:1;)
alert tcp $HOME_NET any -> [177.76.22.91] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200985; rev:1;)
alert tcp $HOME_NET any -> [201.0.106.138] 3570 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200986; rev:1;)
alert tcp $HOME_NET any -> [188.215.229.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200987; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200988; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.254] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200989; rev:1;)
alert tcp $HOME_NET any -> [154.16.93.179] 2019 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200990; rev:1;)
alert tcp $HOME_NET any -> [179.180.17.194] 9830 (msg:"SSLBL: Traffic to malicious host (likely njrat C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200991; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.22] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200992; rev:1;)
alert tcp $HOME_NET any -> [95.211.214.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200993; rev:1;)
alert tcp $HOME_NET any -> [175.126.82.55] 8888 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200994; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200995; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.18] 8787 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200996; rev:1;)
alert tcp $HOME_NET any -> [5.39.119.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200997; rev:1;)
alert tcp $HOME_NET any -> [91.218.65.24] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200998; rev:1;)
alert tcp $HOME_NET any -> [89.223.90.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905200999; rev:1;)
alert tcp $HOME_NET any -> [194.165.3.28] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201000; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.4] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201001; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.28] 587 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201002; rev:1;)
alert tcp $HOME_NET any -> [134.119.180.105] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201003; rev:1;)
alert tcp $HOME_NET any -> [141.255.166.157] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201004; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201005; rev:1;)
alert tcp $HOME_NET any -> [190.13.160.19] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201006; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.69] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201007; rev:1;)
alert tcp $HOME_NET any -> [185.193.141.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201008; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.31] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201009; rev:1;)
alert tcp $HOME_NET any -> [67.253.236.155] 111 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201010; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201011; rev:1;)
alert tcp $HOME_NET any -> [93.90.193.189] 9341 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201012; rev:1;)
alert tcp $HOME_NET any -> [185.225.17.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201013; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201014; rev:1;)
alert tcp $HOME_NET any -> [94.130.156.219] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201015; rev:1;)
alert tcp $HOME_NET any -> [64.44.42.201] 6677 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201016; rev:1;)
alert tcp $HOME_NET any -> [188.209.52.219] 25565 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201017; rev:1;)
alert tcp $HOME_NET any -> [62.109.24.227] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201018; rev:1;)
alert tcp $HOME_NET any -> [93.189.149.176] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201019; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.16] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201020; rev:1;)
alert tcp $HOME_NET any -> [187.110.100.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201021; rev:1;)
alert tcp $HOME_NET any -> [211.47.153.128] 1002 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201022; rev:1;)
alert tcp $HOME_NET any -> [5.188.60.74] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201023; rev:1;)
alert tcp $HOME_NET any -> [176.227.191.12] 2002 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201024; rev:1;)
alert tcp $HOME_NET any -> [81.177.6.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201025; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.2] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201026; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.45] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201027; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.2] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201028; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201029; rev:1;)
alert tcp $HOME_NET any -> [185.217.1.190] 1337 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201030; rev:1;)
alert tcp $HOME_NET any -> [23.81.246.143] 1013 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201031; rev:1;)
alert tcp $HOME_NET any -> [177.183.194.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201032; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.62] 5780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201033; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.130] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201034; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.21] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201035; rev:1;)
alert tcp $HOME_NET any -> [95.167.151.233] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201036; rev:1;)
alert tcp $HOME_NET any -> [200.35.56.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201037; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201038; rev:1;)
alert tcp $HOME_NET any -> [103.74.91.27] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201039; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.77] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201040; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.135] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201041; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.205] 5500 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201042; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.25] 8856 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201043; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.249] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201044; rev:1;)
alert tcp $HOME_NET any -> [79.9.88.117] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201045; rev:1;)
alert tcp $HOME_NET any -> [185.203.117.3] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201046; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.195] 6606 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201047; rev:1;)
alert tcp $HOME_NET any -> [134.209.78.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201048; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.61] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201049; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.90] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201050; rev:1;)
alert tcp $HOME_NET any -> [85.117.234.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201051; rev:1;)
alert tcp $HOME_NET any -> [181.129.49.98] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201052; rev:1;)
alert tcp $HOME_NET any -> [181.129.140.140] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201053; rev:1;)
alert tcp $HOME_NET any -> [147.135.60.142] 4030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201054; rev:1;)
alert tcp $HOME_NET any -> [109.236.80.32] 7707 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201055; rev:1;)
alert tcp $HOME_NET any -> [181.112.145.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201056; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.43] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201057; rev:1;)
alert tcp $HOME_NET any -> [147.135.60.142] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201058; rev:1;)
alert tcp $HOME_NET any -> [177.52.79.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201059; rev:1;)
alert tcp $HOME_NET any -> [66.70.164.168] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201060; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.85] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201061; rev:1;)
alert tcp $HOME_NET any -> [200.110.72.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201062; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.19] 22209 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201063; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201064; rev:1;)
alert tcp $HOME_NET any -> [5.206.226.46] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201065; rev:1;)
alert tcp $HOME_NET any -> [109.236.80.32] 8808 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201066; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.23] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201067; rev:1;)
alert tcp $HOME_NET any -> [177.52.28.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201068; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.234] 6177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201069; rev:1;)
alert tcp $HOME_NET any -> [185.141.61.192] 1507 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201070; rev:1;)
alert tcp $HOME_NET any -> [185.228.234.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201071; rev:1;)
alert tcp $HOME_NET any -> [186.248.163.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201072; rev:1;)
alert tcp $HOME_NET any -> [45.74.1.41] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201073; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.138] 5195 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201074; rev:1;)
alert tcp $HOME_NET any -> [200.107.59.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201075; rev:1;)
alert tcp $HOME_NET any -> [181.112.221.246] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201076; rev:1;)
alert tcp $HOME_NET any -> [186.42.186.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201077; rev:1;)
alert tcp $HOME_NET any -> [187.8.169.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201078; rev:1;)
alert tcp $HOME_NET any -> [187.95.123.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201079; rev:1;)
alert tcp $HOME_NET any -> [151.106.0.80] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201080; rev:1;)
alert tcp $HOME_NET any -> [41.231.120.141] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201081; rev:1;)
alert tcp $HOME_NET any -> [138.186.62.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201082; rev:1;)
alert tcp $HOME_NET any -> [41.231.120.136] 15290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201083; rev:1;)
alert tcp $HOME_NET any -> [187.65.49.88] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201084; rev:1;)
alert tcp $HOME_NET any -> [191.242.178.210] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201085; rev:1;)
alert tcp $HOME_NET any -> [158.69.144.70] 6343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201086; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.230] 2094 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201087; rev:1;)
alert tcp $HOME_NET any -> [191.241.233.195] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201088; rev:1;)
alert tcp $HOME_NET any -> [41.231.120.140] 2233 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201089; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.47] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201090; rev:1;)
alert tcp $HOME_NET any -> [161.129.65.104] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201091; rev:1;)
alert tcp $HOME_NET any -> [45.74.1.201] 1155 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201092; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 38786 (msg:"SSLBL: Traffic to malicious host (likely AsyncRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201093; rev:1;)
alert tcp $HOME_NET any -> [185.143.145.90] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201094; rev:1;)
alert tcp $HOME_NET any -> [185.62.189.186] 4749 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201095; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.27] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201096; rev:1;)
alert tcp $HOME_NET any -> [109.248.222.98] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201097; rev:1;)
alert tcp $HOME_NET any -> [185.164.72.234] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201098; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.157] 9002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201099; rev:1;)
alert tcp $HOME_NET any -> [185.244.31.160] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201100; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.170] 4020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201101; rev:1;)
alert tcp $HOME_NET any -> [62.108.37.6] 5252 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201102; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.46] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201103; rev:1;)
alert tcp $HOME_NET any -> [79.180.33.229] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201104; rev:1;)
alert tcp $HOME_NET any -> [195.69.187.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201105; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201106; rev:1;)
alert tcp $HOME_NET any -> [161.129.66.19] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201107; rev:1;)
alert tcp $HOME_NET any -> [185.62.188.109] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201108; rev:1;)
alert tcp $HOME_NET any -> [202.95.13.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201109; rev:1;)
alert tcp $HOME_NET any -> [40.89.157.54] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201110; rev:1;)
alert tcp $HOME_NET any -> [109.248.222.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201111; rev:1;)
alert tcp $HOME_NET any -> [109.230.199.24] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201112; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.48] 3290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201113; rev:1;)
alert tcp $HOME_NET any -> [91.193.75.110] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201114; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.48] 7795 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201115; rev:1;)
alert tcp $HOME_NET any -> [188.120.226.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201116; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.109] 4132 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201117; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.187] 2250 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201118; rev:1;)
alert tcp $HOME_NET any -> [185.103.110.32] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201119; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.27] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201120; rev:1;)
alert tcp $HOME_NET any -> [93.170.129.78] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201121; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.184] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201122; rev:1;)
alert tcp $HOME_NET any -> [181.129.20.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201123; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201124; rev:1;)
alert tcp $HOME_NET any -> [178.57.218.162] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201125; rev:1;)
alert tcp $HOME_NET any -> [176.32.35.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201126; rev:1;)
alert tcp $HOME_NET any -> [88.119.179.177] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201127; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.41] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201128; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.95] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201129; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201130; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.27] 3242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201131; rev:1;)
alert tcp $HOME_NET any -> [185.74.255.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201132; rev:1;)
alert tcp $HOME_NET any -> [46.17.43.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201133; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201134; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.25] 1123 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201135; rev:1;)
alert tcp $HOME_NET any -> [89.105.195.213] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201136; rev:1;)
alert tcp $HOME_NET any -> [186.159.2.153] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201137; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.193] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201138; rev:1;)
alert tcp $HOME_NET any -> [45.32.84.150] 8080 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201139; rev:1;)
alert tcp $HOME_NET any -> [82.62.44.126] 6315 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201140; rev:1;)
alert tcp $HOME_NET any -> [185.206.146.146] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201141; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.99] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201142; rev:1;)
alert tcp $HOME_NET any -> [181.48.203.10] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201143; rev:1;)
alert tcp $HOME_NET any -> [143.255.141.137] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201144; rev:1;)
alert tcp $HOME_NET any -> [41.231.120.132] 4125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201145; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.66] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201146; rev:1;)
alert tcp $HOME_NET any -> [200.54.14.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201147; rev:1;)
alert tcp $HOME_NET any -> [181.143.102.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201148; rev:1;)
alert tcp $HOME_NET any -> [190.151.10.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201149; rev:1;)
alert tcp $HOME_NET any -> [93.170.76.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201150; rev:1;)
alert tcp $HOME_NET any -> [185.66.9.114] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201151; rev:1;)
alert tcp $HOME_NET any -> [185.247.228.46] 1604 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201152; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.22] 22112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201153; rev:1;)
alert tcp $HOME_NET any -> [51.255.130.130] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201154; rev:1;)
alert tcp $HOME_NET any -> [79.1.42.72] 5147 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201155; rev:1;)
alert tcp $HOME_NET any -> [181.176.191.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201156; rev:1;)
alert tcp $HOME_NET any -> [85.119.144.126] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201157; rev:1;)
alert tcp $HOME_NET any -> [190.196.32.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201158; rev:1;)
alert tcp $HOME_NET any -> [209.45.30.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201159; rev:1;)
alert tcp $HOME_NET any -> [190.109.165.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201160; rev:1;)
alert tcp $HOME_NET any -> [177.105.237.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201161; rev:1;)
alert tcp $HOME_NET any -> [77.222.60.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201162; rev:1;)
alert tcp $HOME_NET any -> [194.28.84.254] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201163; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.39] 1921 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201164; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.55] 45201 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201165; rev:1;)
alert tcp $HOME_NET any -> [190.117.66.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201166; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.6] 34022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201167; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.12] 8785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201168; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201169; rev:1;)
alert tcp $HOME_NET any -> [185.181.209.76] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201170; rev:1;)
alert tcp $HOME_NET any -> [185.156.173.122] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201171; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.6] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201172; rev:1;)
alert tcp $HOME_NET any -> [185.136.168.134] 7776 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201173; rev:1;)
alert tcp $HOME_NET any -> [188.209.52.68] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201174; rev:1;)
alert tcp $HOME_NET any -> [185.136.168.134] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201175; rev:1;)
alert tcp $HOME_NET any -> [190.0.20.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201176; rev:1;)
alert tcp $HOME_NET any -> [181.115.236.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201177; rev:1;)
alert tcp $HOME_NET any -> [185.101.94.172] 2564 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201178; rev:1;)
alert tcp $HOME_NET any -> [185.139.70.61] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201179; rev:1;)
alert tcp $HOME_NET any -> [181.143.17.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201180; rev:1;)
alert tcp $HOME_NET any -> [199.195.250.222] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201181; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.46] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201182; rev:1;)
alert tcp $HOME_NET any -> [185.189.149.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201183; rev:1;)
alert tcp $HOME_NET any -> [103.114.107.151] 8089 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201184; rev:1;)
alert tcp $HOME_NET any -> [91.230.61.178] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201185; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.184] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201186; rev:1;)
alert tcp $HOME_NET any -> [204.16.247.226] 419 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201187; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.38] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201188; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.14] 1971 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201189; rev:1;)
alert tcp $HOME_NET any -> [31.220.43.154] 8080 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201190; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201191; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201192; rev:1;)
alert tcp $HOME_NET any -> [46.17.43.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201193; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201194; rev:1;)
alert tcp $HOME_NET any -> [185.4.29.236] 9221 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201195; rev:1;)
alert tcp $HOME_NET any -> [185.206.146.146] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201196; rev:1;)
alert tcp $HOME_NET any -> [89.223.94.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201197; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.141] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201198; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.241] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201199; rev:1;)
alert tcp $HOME_NET any -> [176.227.191.12] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201200; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.99] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201201; rev:1;)
alert tcp $HOME_NET any -> [197.46.21.48] 7777 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201202; rev:1;)
alert tcp $HOME_NET any -> [185.219.82.83] 5555 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201203; rev:1;)
alert tcp $HOME_NET any -> [71.207.206.178] 7532 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201204; rev:1;)
alert tcp $HOME_NET any -> [85.143.218.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201205; rev:1;)
alert tcp $HOME_NET any -> [185.17.121.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201206; rev:1;)
alert tcp $HOME_NET any -> [195.123.245.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201207; rev:1;)
alert tcp $HOME_NET any -> [46.17.41.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201208; rev:1;)
alert tcp $HOME_NET any -> [192.162.244.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201209; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.180] 6565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201210; rev:1;)
alert tcp $HOME_NET any -> [89.223.88.195] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201211; rev:1;)
alert tcp $HOME_NET any -> [51.15.21.149] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201212; rev:1;)
alert tcp $HOME_NET any -> [185.101.94.172] 6679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201213; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201214; rev:1;)
alert tcp $HOME_NET any -> [177.226.176.13] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201215; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.16] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201216; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.58] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201217; rev:1;)
alert tcp $HOME_NET any -> [89.223.25.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201218; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201219; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.39] 6778 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201220; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.9] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201221; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.48] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201222; rev:1;)
alert tcp $HOME_NET any -> [144.217.89.128] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201223; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.31] 1880 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201224; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.40] 1999 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201225; rev:1;)
alert tcp $HOME_NET any -> [192.3.24.248] 3478 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201226; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.105] 3602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201227; rev:1;)
alert tcp $HOME_NET any -> [209.97.179.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201228; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.8] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201229; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.250] 2256 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201230; rev:1;)
alert tcp $HOME_NET any -> [93.189.149.131] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201231; rev:1;)
alert tcp $HOME_NET any -> [193.187.173.214] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201232; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.184] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201233; rev:1;)
alert tcp $HOME_NET any -> [85.59.129.120] 6666 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201234; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.143] 9801 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201235; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.161] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201236; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.119] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201237; rev:1;)
alert tcp $HOME_NET any -> [52.142.166.69] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201238; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.165] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201239; rev:1;)
alert tcp $HOME_NET any -> [95.169.31.41] 53 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201240; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.52] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201241; rev:1;)
alert tcp $HOME_NET any -> [186.226.188.105] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201242; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201243; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.210] 3012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201244; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.16] 5551 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201245; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201246; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201247; rev:1;)
alert tcp $HOME_NET any -> [185.48.56.231] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201248; rev:1;)
alert tcp $HOME_NET any -> [54.37.240.237] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201249; rev:1;)
alert tcp $HOME_NET any -> [84.38.129.48] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201250; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.5] 8484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201251; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.6] 12201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201252; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.58] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201253; rev:1;)
alert tcp $HOME_NET any -> [185.179.188.245] 4782 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201254; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.47] 8332 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201255; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.242] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201256; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201257; rev:1;)
alert tcp $HOME_NET any -> [46.29.166.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201258; rev:1;)
alert tcp $HOME_NET any -> [46.17.42.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201259; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.43] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201260; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.73] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201261; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.19] 9298 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201262; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.58] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201263; rev:1;)
alert tcp $HOME_NET any -> [195.123.246.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201264; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201265; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201266; rev:1;)
alert tcp $HOME_NET any -> [185.207.205.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201267; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.172] 7788 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201268; rev:1;)
alert tcp $HOME_NET any -> [194.76.224.30] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201269; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.215] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201270; rev:1;)
alert tcp $HOME_NET any -> [185.211.48.20] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201271; rev:1;)
alert tcp $HOME_NET any -> [5.135.43.178] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201272; rev:1;)
alert tcp $HOME_NET any -> [46.183.218.124] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201273; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.93] 76 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201274; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.167] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201275; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.195] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201276; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.28] 7766 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201277; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.39] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201278; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.71] 5244 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201279; rev:1;)
alert tcp $HOME_NET any -> [192.152.0.71] 3021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201280; rev:1;)
alert tcp $HOME_NET any -> [13.53.94.89] 25565 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201281; rev:1;)
alert tcp $HOME_NET any -> [162.244.32.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201282; rev:1;)
alert tcp $HOME_NET any -> [89.105.198.18] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201283; rev:1;)
alert tcp $HOME_NET any -> [212.114.52.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201284; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.118] 4675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201285; rev:1;)
alert tcp $HOME_NET any -> [54.37.191.17] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201286; rev:1;)
alert tcp $HOME_NET any -> [80.173.224.81] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201287; rev:1;)
alert tcp $HOME_NET any -> [77.72.135.237] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201288; rev:1;)
alert tcp $HOME_NET any -> [192.152.0.87] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201289; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201290; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.101] 4548 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201291; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.107] 1071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201292; rev:1;)
alert tcp $HOME_NET any -> [109.94.209.127] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201293; rev:1;)
alert tcp $HOME_NET any -> [109.248.147.173] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201294; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201295; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.181] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201296; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.105] 1955 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201297; rev:1;)
alert tcp $HOME_NET any -> [180.250.197.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201298; rev:1;)
alert tcp $HOME_NET any -> [62.76.46.221] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201299; rev:1;)
alert tcp $HOME_NET any -> [146.120.110.93] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201300; rev:1;)
alert tcp $HOME_NET any -> [89.223.91.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201301; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201302; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201303; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201304; rev:1;)
alert tcp $HOME_NET any -> [89.223.91.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201305; rev:1;)
alert tcp $HOME_NET any -> [144.202.59.44] 443 (msg:"SSLBL: Traffic to malicious host (likely CobaltStrike C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201306; rev:1;)
alert tcp $HOME_NET any -> [151.106.60.147] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201307; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201308; rev:1;)
alert tcp $HOME_NET any -> [201.184.69.50] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201309; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.196] 2021 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201310; rev:1;)
alert tcp $HOME_NET any -> [46.173.214.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201311; rev:1;)
alert tcp $HOME_NET any -> [185.173.92.61] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201312; rev:1;)
alert tcp $HOME_NET any -> [3.121.182.157] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201313; rev:1;)
alert tcp $HOME_NET any -> [185.255.91.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201314; rev:1;)
alert tcp $HOME_NET any -> [188.127.239.51] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201315; rev:1;)
alert tcp $HOME_NET any -> [185.228.234.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201316; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.199] 18 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201317; rev:1;)
alert tcp $HOME_NET any -> [185.136.168.203] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201318; rev:1;)
alert tcp $HOME_NET any -> [103.1.184.108] 33444 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201319; rev:1;)
alert tcp $HOME_NET any -> [46.17.41.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201320; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.122] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201321; rev:1;)
alert tcp $HOME_NET any -> [213.152.161.15] 21483 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201322; rev:1;)
alert tcp $HOME_NET any -> [212.114.52.169] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201323; rev:1;)
alert tcp $HOME_NET any -> [195.123.245.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201324; rev:1;)
alert tcp $HOME_NET any -> [185.246.116.239] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201325; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201326; rev:1;)
alert tcp $HOME_NET any -> [46.173.214.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201327; rev:1;)
alert tcp $HOME_NET any -> [181.115.168.69] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201328; rev:1;)
alert tcp $HOME_NET any -> [46.17.41.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201329; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.207] 7134 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201330; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.126] 5954 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201331; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201332; rev:1;)
alert tcp $HOME_NET any -> [185.244.29.70] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201333; rev:1;)
alert tcp $HOME_NET any -> [185.86.150.235] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201334; rev:1;)
alert tcp $HOME_NET any -> [195.54.162.197] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201335; rev:1;)
alert tcp $HOME_NET any -> [45.35.190.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201336; rev:1;)
alert tcp $HOME_NET any -> [89.238.181.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201337; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.181] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201338; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.106] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201339; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201340; rev:1;)
alert tcp $HOME_NET any -> [89.223.28.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201341; rev:1;)
alert tcp $HOME_NET any -> [186.138.152.228] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201342; rev:1;)
alert tcp $HOME_NET any -> [89.223.28.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201343; rev:1;)
alert tcp $HOME_NET any -> [185.86.148.251] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201344; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.88] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201345; rev:1;)
alert tcp $HOME_NET any -> [185.206.145.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201346; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.163] 6190 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201347; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.142] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201348; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.14] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201349; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.99] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201350; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.107] 1966 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201351; rev:1;)
alert tcp $HOME_NET any -> [185.165.153.34] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201352; rev:1;)
alert tcp $HOME_NET any -> [108.170.60.189] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201353; rev:1;)
alert tcp $HOME_NET any -> [185.77.129.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201354; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.113] 6649 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201355; rev:1;)
alert tcp $HOME_NET any -> [82.199.134.139] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201356; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.120] 1130 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201357; rev:1;)
alert tcp $HOME_NET any -> [5.206.225.115] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201358; rev:1;)
alert tcp $HOME_NET any -> [181.196.61.110] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201359; rev:1;)
alert tcp $HOME_NET any -> [54.38.146.43] 8888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201360; rev:1;)
alert tcp $HOME_NET any -> [5.2.64.188] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201361; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201362; rev:1;)
alert tcp $HOME_NET any -> [83.166.245.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201363; rev:1;)
alert tcp $HOME_NET any -> [194.76.225.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201364; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.193] 8008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201365; rev:1;)
alert tcp $HOME_NET any -> [5.2.67.66] 5299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201366; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.165] 1900 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201367; rev:1;)
alert tcp $HOME_NET any -> [186.183.199.114] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201368; rev:1;)
alert tcp $HOME_NET any -> [181.215.47.171] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201369; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.68] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201370; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.56] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201371; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.158] 7210 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201372; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201373; rev:1;)
alert tcp $HOME_NET any -> [37.59.134.55] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201374; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.234] 7578 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201375; rev:1;)
alert tcp $HOME_NET any -> [186.42.226.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201376; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201377; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201378; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.19] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201379; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.136] 6229 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201380; rev:1;)
alert tcp $HOME_NET any -> [185.205.210.139] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201381; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.60] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201382; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.194] 5090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201383; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.161] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201384; rev:1;)
alert tcp $HOME_NET any -> [185.156.174.115] 19741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201385; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.91] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201386; rev:1;)
alert tcp $HOME_NET any -> [185.174.173.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201387; rev:1;)
alert tcp $HOME_NET any -> [178.239.21.106] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201388; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.2] 1995 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201389; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.114] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201390; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.73] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201391; rev:1;)
alert tcp $HOME_NET any -> [193.29.56.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201392; rev:1;)
alert tcp $HOME_NET any -> [45.55.36.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201393; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.7] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201394; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.104] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201395; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.103] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201396; rev:1;)
alert tcp $HOME_NET any -> [87.236.22.142] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201397; rev:1;)
alert tcp $HOME_NET any -> [144.76.215.117] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201398; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.56] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201399; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.52] 2225 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201400; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.226] 1785 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201401; rev:1;)
alert tcp $HOME_NET any -> [140.82.48.224] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201402; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.98] 20982 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201403; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.114] 8891 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201404; rev:1;)
alert tcp $HOME_NET any -> [45.249.90.124] 7322 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201405; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.38] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201406; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.75] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201407; rev:1;)
alert tcp $HOME_NET any -> [31.7.188.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201408; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.6] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201409; rev:1;)
alert tcp $HOME_NET any -> [185.141.62.213] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201410; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.207] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201411; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.159] 2121 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201412; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.60] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201413; rev:1;)
alert tcp $HOME_NET any -> [195.123.227.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201414; rev:1;)
alert tcp $HOME_NET any -> [92.222.10.99] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201415; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.114] 92 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201416; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.105] 5689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201417; rev:1;)
alert tcp $HOME_NET any -> [94.103.83.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201418; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.69] 5843 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201419; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.56] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201420; rev:1;)
alert tcp $HOME_NET any -> [181.129.171.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201421; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.60] 2040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201422; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.16] 5738 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201423; rev:1;)
alert tcp $HOME_NET any -> [81.177.141.211] 443 (msg:"SSLBL: Traffic to malicious host (likely PredatorStealer C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201424; rev:1;)
alert tcp $HOME_NET any -> [194.99.20.254] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201425; rev:1;)
alert tcp $HOME_NET any -> [195.123.245.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201426; rev:1;)
alert tcp $HOME_NET any -> [185.202.174.91] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201427; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.164] 1973 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201428; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.40] 5290 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201429; rev:1;)
alert tcp $HOME_NET any -> [46.166.173.109] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201430; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.101] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201431; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.106] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201432; rev:1;)
alert tcp $HOME_NET any -> [68.183.249.84] 3040 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201433; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.109] 5552 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201434; rev:1;)
alert tcp $HOME_NET any -> [185.22.65.5] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201435; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.109] 7742 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201436; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.113] 7328 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201437; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.226] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201438; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.71] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201439; rev:1;)
alert tcp $HOME_NET any -> [94.185.86.56] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201440; rev:1;)
alert tcp $HOME_NET any -> [54.37.86.44] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201441; rev:1;)
alert tcp $HOME_NET any -> [18.221.114.76] 1515 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201442; rev:1;)
alert tcp $HOME_NET any -> [78.155.220.198] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201443; rev:1;)
alert tcp $HOME_NET any -> [138.197.148.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201444; rev:1;)
alert tcp $HOME_NET any -> [181.129.146.34] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201445; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.53] 443 (msg:"SSLBL: Traffic to malicious host (likely Zebrocy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201446; rev:1;)
alert tcp $HOME_NET any -> [212.73.150.215] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201447; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201448; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.139] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201449; rev:1;)
alert tcp $HOME_NET any -> [192.99.212.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201450; rev:1;)
alert tcp $HOME_NET any -> [199.21.106.189] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201451; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.93] 9888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201452; rev:1;)
alert tcp $HOME_NET any -> [162.244.32.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201453; rev:1;)
alert tcp $HOME_NET any -> [213.152.161.138] 55314 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201454; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.67] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201455; rev:1;)
alert tcp $HOME_NET any -> [85.217.170.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201456; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201457; rev:1;)
alert tcp $HOME_NET any -> [82.199.134.156] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201458; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.79] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201459; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.205] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201460; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.107] 4389 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201461; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.48] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201462; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.27] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201463; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201464; rev:1;)
alert tcp $HOME_NET any -> [136.25.2.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201465; rev:1;)
alert tcp $HOME_NET any -> [95.47.161.68] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201466; rev:1;)
alert tcp $HOME_NET any -> [192.227.248.175] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201467; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.44] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201468; rev:1;)
alert tcp $HOME_NET any -> [103.89.88.88] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201469; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.10] 7650 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201470; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.121] 4379 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201471; rev:1;)
alert tcp $HOME_NET any -> [68.111.123.100] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201472; rev:1;)
alert tcp $HOME_NET any -> [81.177.180.174] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201473; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.250] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201474; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.97] 683 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201475; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.148] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201476; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.105] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201477; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.59] 8899 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201478; rev:1;)
alert tcp $HOME_NET any -> [195.123.245.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201479; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.22] 5000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201480; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.78] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201481; rev:1;)
alert tcp $HOME_NET any -> [185.189.149.187] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201482; rev:1;)
alert tcp $HOME_NET any -> [181.129.93.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201483; rev:1;)
alert tcp $HOME_NET any -> [179.43.176.148] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201484; rev:1;)
alert tcp $HOME_NET any -> [212.47.194.15] 8898 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201485; rev:1;)
alert tcp $HOME_NET any -> [195.123.212.149] 4000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201486; rev:1;)
alert tcp $HOME_NET any -> [173.254.223.115] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201487; rev:1;)
alert tcp $HOME_NET any -> [185.231.153.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201488; rev:1;)
alert tcp $HOME_NET any -> [195.123.213.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201489; rev:1;)
alert tcp $HOME_NET any -> [137.74.131.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201490; rev:1;)
alert tcp $HOME_NET any -> [185.127.27.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201491; rev:1;)
alert tcp $HOME_NET any -> [93.115.26.171] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201492; rev:1;)
alert tcp $HOME_NET any -> [35.198.61.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201493; rev:1;)
alert tcp $HOME_NET any -> [194.68.225.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201494; rev:1;)
alert tcp $HOME_NET any -> [94.237.44.31] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201495; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.119] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201496; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.103] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201497; rev:1;)
alert tcp $HOME_NET any -> [109.230.199.159] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201498; rev:1;)
alert tcp $HOME_NET any -> [185.181.165.20] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201499; rev:1;)
alert tcp $HOME_NET any -> [103.249.88.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201500; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.109] 5532 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201501; rev:1;)
alert tcp $HOME_NET any -> [37.10.71.110] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201502; rev:1;)
alert tcp $HOME_NET any -> [208.79.106.86] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201503; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.106] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201504; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.15] 7274 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201505; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.63] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201506; rev:1;)
alert tcp $HOME_NET any -> [103.63.2.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201507; rev:1;)
alert tcp $HOME_NET any -> [144.217.242.133] 10135 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201508; rev:1;)
alert tcp $HOME_NET any -> [216.27.121.122] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201509; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.165] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201510; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.97] 7462 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201511; rev:1;)
alert tcp $HOME_NET any -> [178.33.137.136] 65535 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201512; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.3] 3545 (msg:"SSLBL: Traffic to malicious host (likely NetWire C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201513; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.240] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201514; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.111] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201515; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.90] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201516; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.98] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201517; rev:1;)
alert tcp $HOME_NET any -> [104.18.34.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201518; rev:1;)
alert tcp $HOME_NET any -> [194.165.3.3] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201519; rev:1;)
alert tcp $HOME_NET any -> [51.38.133.245] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201520; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.58] 1409 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201521; rev:1;)
alert tcp $HOME_NET any -> [170.247.3.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201522; rev:1;)
alert tcp $HOME_NET any -> [187.61.108.254] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201523; rev:1;)
alert tcp $HOME_NET any -> [94.130.40.150] 5858 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201524; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.85] 5099 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201525; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.86] 4435 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201526; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.57] 2049 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201527; rev:1;)
alert tcp $HOME_NET any -> [104.148.109.229] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201528; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.109] 5542 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201529; rev:1;)
alert tcp $HOME_NET any -> [181.209.88.26] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201530; rev:1;)
alert tcp $HOME_NET any -> [187.19.17.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201531; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.68] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201532; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.117] 6040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201533; rev:1;)
alert tcp $HOME_NET any -> [205.237.44.244] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201534; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.224] 9620 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201535; rev:1;)
alert tcp $HOME_NET any -> [208.73.200.123] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201536; rev:1;)
alert tcp $HOME_NET any -> [170.79.176.242] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201537; rev:1;)
alert tcp $HOME_NET any -> [193.37.213.27] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201538; rev:1;)
alert tcp $HOME_NET any -> [186.147.161.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201539; rev:1;)
alert tcp $HOME_NET any -> [186.167.66.51] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201540; rev:1;)
alert tcp $HOME_NET any -> [194.76.224.11] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201541; rev:1;)
alert tcp $HOME_NET any -> [54.180.98.118] 1081 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201542; rev:1;)
alert tcp $HOME_NET any -> [45.225.65.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201543; rev:1;)
alert tcp $HOME_NET any -> [58.84.34.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201544; rev:1;)
alert tcp $HOME_NET any -> [213.32.93.218] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201545; rev:1;)
alert tcp $HOME_NET any -> [103.1.184.108] 54984 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201546; rev:1;)
alert tcp $HOME_NET any -> [193.56.28.161] 4782 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201547; rev:1;)
alert tcp $HOME_NET any -> [31.171.152.106] 2522 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201548; rev:1;)
alert tcp $HOME_NET any -> [94.237.28.110] 3737 (msg:"SSLBL: Traffic to malicious host (likely QuasarRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201549; rev:1;)
alert tcp $HOME_NET any -> [176.119.158.39] 1604 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201550; rev:1;)
alert tcp $HOME_NET any -> [23.231.4.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Loki C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201551; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201552; rev:1;)
alert tcp $HOME_NET any -> [94.156.189.60] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201553; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201554; rev:1;)
alert tcp $HOME_NET any -> [200.116.76.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201555; rev:1;)
alert tcp $HOME_NET any -> [205.201.36.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201556; rev:1;)
alert tcp $HOME_NET any -> [125.209.82.158] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201557; rev:1;)
alert tcp $HOME_NET any -> [95.168.176.160] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201558; rev:1;)
alert tcp $HOME_NET any -> [76.107.90.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201559; rev:1;)
alert tcp $HOME_NET any -> [94.156.144.197] 5525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201560; rev:1;)
alert tcp $HOME_NET any -> [185.189.149.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201561; rev:1;)
alert tcp $HOME_NET any -> [51.75.162.41] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201562; rev:1;)
alert tcp $HOME_NET any -> [147.135.165.107] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201563; rev:1;)
alert tcp $HOME_NET any -> [72.226.102.151] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201564; rev:1;)
alert tcp $HOME_NET any -> [47.44.54.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201565; rev:1;)
alert tcp $HOME_NET any -> [110.164.69.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201566; rev:1;)
alert tcp $HOME_NET any -> [201.251.18.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201567; rev:1;)
alert tcp $HOME_NET any -> [185.189.149.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201568; rev:1;)
alert tcp $HOME_NET any -> [202.63.242.48] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201569; rev:1;)
alert tcp $HOME_NET any -> [98.226.192.30] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201570; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.168] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201571; rev:1;)
alert tcp $HOME_NET any -> [96.9.90.104] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201572; rev:1;)
alert tcp $HOME_NET any -> [47.224.98.123] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201573; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.61] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201574; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.124] 8074 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201575; rev:1;)
alert tcp $HOME_NET any -> [66.64.20.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201576; rev:1;)
alert tcp $HOME_NET any -> [73.115.58.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201577; rev:1;)
alert tcp $HOME_NET any -> [103.235.176.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201578; rev:1;)
alert tcp $HOME_NET any -> [173.46.85.197] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201579; rev:1;)
alert tcp $HOME_NET any -> [188.215.229.26] 3388 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201580; rev:1;)
alert tcp $HOME_NET any -> [89.36.223.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201581; rev:1;)
alert tcp $HOME_NET any -> [194.5.99.175] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201582; rev:1;)
alert tcp $HOME_NET any -> [24.217.193.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201583; rev:1;)
alert tcp $HOME_NET any -> [24.217.192.131] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201584; rev:1;)
alert tcp $HOME_NET any -> [160.20.147.219] 1000 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201585; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.253] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201586; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.156] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201587; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201588; rev:1;)
alert tcp $HOME_NET any -> [108.174.120.172] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201589; rev:1;)
alert tcp $HOME_NET any -> [37.252.5.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201590; rev:1;)
alert tcp $HOME_NET any -> [190.109.178.222] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201591; rev:1;)
alert tcp $HOME_NET any -> [85.143.219.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201592; rev:1;)
alert tcp $HOME_NET any -> [45.161.216.57] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201593; rev:1;)
alert tcp $HOME_NET any -> [177.104.252.32] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201594; rev:1;)
alert tcp $HOME_NET any -> [204.14.154.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201595; rev:1;)
alert tcp $HOME_NET any -> [73.2.223.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201596; rev:1;)
alert tcp $HOME_NET any -> [97.87.175.152] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201597; rev:1;)
alert tcp $HOME_NET any -> [24.217.49.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201598; rev:1;)
alert tcp $HOME_NET any -> [185.86.150.77] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201599; rev:1;)
alert tcp $HOME_NET any -> [209.58.186.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201600; rev:1;)
alert tcp $HOME_NET any -> [185.61.148.31] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201601; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.41] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201602; rev:1;)
alert tcp $HOME_NET any -> [62.76.74.249] 13337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201603; rev:1;)
alert tcp $HOME_NET any -> [63.135.55.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201604; rev:1;)
alert tcp $HOME_NET any -> [45.6.127.2] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201605; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.169] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201606; rev:1;)
alert tcp $HOME_NET any -> [104.255.182.45] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201607; rev:1;)
alert tcp $HOME_NET any -> [68.119.85.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201608; rev:1;)
alert tcp $HOME_NET any -> [62.173.138.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201609; rev:1;)
alert tcp $HOME_NET any -> [23.111.148.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201610; rev:1;)
alert tcp $HOME_NET any -> [185.223.163.26] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201611; rev:1;)
alert tcp $HOME_NET any -> [89.223.94.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201612; rev:1;)
alert tcp $HOME_NET any -> [185.101.94.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201613; rev:1;)
alert tcp $HOME_NET any -> [179.43.183.150] 3003 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201614; rev:1;)
alert tcp $HOME_NET any -> [179.43.183.150] 3004 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201615; rev:1;)
alert tcp $HOME_NET any -> [195.69.187.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201616; rev:1;)
alert tcp $HOME_NET any -> [104.223.76.206] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201617; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.39] 8280 (msg:"SSLBL: Traffic to malicious host (likely Meterpreter C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201618; rev:1;)
alert tcp $HOME_NET any -> [46.166.161.186] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201619; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201620; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201621; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201622; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.128] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201623; rev:1;)
alert tcp $HOME_NET any -> [188.120.236.10] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201624; rev:1;)
alert tcp $HOME_NET any -> [37.59.160.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201625; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.226] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201626; rev:1;)
alert tcp $HOME_NET any -> [31.148.219.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201627; rev:1;)
alert tcp $HOME_NET any -> [192.162.244.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201628; rev:1;)
alert tcp $HOME_NET any -> [94.140.125.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201629; rev:1;)
alert tcp $HOME_NET any -> [185.174.173.140] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201630; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201631; rev:1;)
alert tcp $HOME_NET any -> [213.183.63.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201632; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.225] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201633; rev:1;)
alert tcp $HOME_NET any -> [82.146.56.170] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201634; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.77] 7524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201635; rev:1;)
alert tcp $HOME_NET any -> [179.43.156.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201636; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201637; rev:1;)
alert tcp $HOME_NET any -> [91.201.65.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201638; rev:1;)
alert tcp $HOME_NET any -> [185.22.172.180] 5051 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201639; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.29] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201640; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.174] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201641; rev:1;)
alert tcp $HOME_NET any -> [174.34.253.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201642; rev:1;)
alert tcp $HOME_NET any -> [178.21.8.42] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201643; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.39] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201644; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201645; rev:1;)
alert tcp $HOME_NET any -> [64.128.175.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201646; rev:1;)
alert tcp $HOME_NET any -> [109.234.36.198] 1616 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201647; rev:1;)
alert tcp $HOME_NET any -> [198.54.115.114] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201648; rev:1;)
alert tcp $HOME_NET any -> [185.86.149.175] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201649; rev:1;)
alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201650; rev:1;)
alert tcp $HOME_NET any -> [144.202.23.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201651; rev:1;)
alert tcp $HOME_NET any -> [35.202.16.252] 1336 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201652; rev:1;)
alert tcp $HOME_NET any -> [185.197.75.161] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201653; rev:1;)
alert tcp $HOME_NET any -> [24.247.182.7] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201654; rev:1;)
alert tcp $HOME_NET any -> [184.106.153.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201655; rev:1;)
alert tcp $HOME_NET any -> [94.140.125.119] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201656; rev:1;)
alert tcp $HOME_NET any -> [188.120.243.46] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201657; rev:1;)
alert tcp $HOME_NET any -> [194.5.250.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201658; rev:1;)
alert tcp $HOME_NET any -> [185.86.150.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201659; rev:1;)
alert tcp $HOME_NET any -> [74.132.135.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201660; rev:1;)
alert tcp $HOME_NET any -> [185.65.202.12] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201661; rev:1;)
alert tcp $HOME_NET any -> [213.183.51.208] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201662; rev:1;)
alert tcp $HOME_NET any -> [198.61.196.18] 1801 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201663; rev:1;)
alert tcp $HOME_NET any -> [37.60.177.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201664; rev:1;)
alert tcp $HOME_NET any -> [193.37.212.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201665; rev:1;)
alert tcp $HOME_NET any -> [85.217.170.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex malware distribution traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201666; rev:1;)
alert tcp $HOME_NET any -> [37.187.61.1] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201667; rev:1;)
alert tcp $HOME_NET any -> [62.210.248.53] 1337 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201668; rev:1;)
alert tcp $HOME_NET any -> [92.63.197.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201669; rev:1;)
alert tcp $HOME_NET any -> [83.166.242.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201670; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.50] 9030 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201671; rev:1;)
alert tcp $HOME_NET any -> [97.87.172.0] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201672; rev:1;)
alert tcp $HOME_NET any -> [185.25.50.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201673; rev:1;)
alert tcp $HOME_NET any -> [81.176.239.195] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201674; rev:1;)
alert tcp $HOME_NET any -> [75.108.123.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201675; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201676; rev:1;)
alert tcp $HOME_NET any -> [185.244.150.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201677; rev:1;)
alert tcp $HOME_NET any -> [172.106.33.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201678; rev:1;)
alert tcp $HOME_NET any -> [72.241.62.188] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201679; rev:1;)
alert tcp $HOME_NET any -> [192.48.88.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201680; rev:1;)
alert tcp $HOME_NET any -> [176.10.118.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201681; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201682; rev:1;)
alert tcp $HOME_NET any -> [185.238.136.67] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201683; rev:1;)
alert tcp $HOME_NET any -> [109.230.199.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201684; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201685; rev:1;)
alert tcp $HOME_NET any -> [146.0.72.183] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201686; rev:1;)
alert tcp $HOME_NET any -> [185.246.155.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201687; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201688; rev:1;)
alert tcp $HOME_NET any -> [37.252.9.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201689; rev:1;)
alert tcp $HOME_NET any -> [178.162.132.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201690; rev:1;)
alert tcp $HOME_NET any -> [83.166.240.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201691; rev:1;)
alert tcp $HOME_NET any -> [47.74.242.150] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201692; rev:1;)
alert tcp $HOME_NET any -> [3.16.149.119] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201693; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201694; rev:1;)
alert tcp $HOME_NET any -> [77.222.63.66] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201695; rev:1;)
alert tcp $HOME_NET any -> [185.129.49.19] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201696; rev:1;)
alert tcp $HOME_NET any -> [83.166.247.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201697; rev:1;)
alert tcp $HOME_NET any -> [185.66.9.143] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201698; rev:1;)
alert tcp $HOME_NET any -> [199.227.126.250] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201699; rev:1;)
alert tcp $HOME_NET any -> [24.113.161.184] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201700; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201701; rev:1;)
alert tcp $HOME_NET any -> [37.252.4.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201702; rev:1;)
alert tcp $HOME_NET any -> [176.32.32.6] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201703; rev:1;)
alert tcp $HOME_NET any -> [172.222.97.179] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201704; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201705; rev:1;)
alert tcp $HOME_NET any -> [72.189.124.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201706; rev:1;)
alert tcp $HOME_NET any -> [24.247.181.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201707; rev:1;)
alert tcp $HOME_NET any -> [185.159.129.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201708; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201709; rev:1;)
alert tcp $HOME_NET any -> [174.105.235.178] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201710; rev:1;)
alert tcp $HOME_NET any -> [95.213.144.203] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201711; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.108] 2216 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201712; rev:1;)
alert tcp $HOME_NET any -> [94.140.125.158] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201713; rev:1;)
alert tcp $HOME_NET any -> [24.247.181.155] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201714; rev:1;)
alert tcp $HOME_NET any -> [85.204.74.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201715; rev:1;)
alert tcp $HOME_NET any -> [24.227.222.4] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201716; rev:1;)
alert tcp $HOME_NET any -> [75.102.135.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201717; rev:1;)
alert tcp $HOME_NET any -> [185.231.246.107] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201718; rev:1;)
alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201719; rev:1;)
alert tcp $HOME_NET any -> [51.38.146.101] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201720; rev:1;)
alert tcp $HOME_NET any -> [46.229.214.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201721; rev:1;)
alert tcp $HOME_NET any -> [74.134.5.113] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201722; rev:1;)
alert tcp $HOME_NET any -> [91.230.60.116] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201723; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201724; rev:1;)
alert tcp $HOME_NET any -> [111.90.144.65] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201725; rev:1;)
alert tcp $HOME_NET any -> [109.230.199.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201726; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201727; rev:1;)
alert tcp $HOME_NET any -> [95.181.198.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201728; rev:1;)
alert tcp $HOME_NET any -> [66.60.121.58] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201729; rev:1;)
alert tcp $HOME_NET any -> [178.162.132.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201730; rev:1;)
alert tcp $HOME_NET any -> [74.140.160.33] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201731; rev:1;)
alert tcp $HOME_NET any -> [65.31.241.133] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201732; rev:1;)
alert tcp $HOME_NET any -> [206.130.141.255] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201733; rev:1;)
alert tcp $HOME_NET any -> [145.239.140.188] 60 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201734; rev:1;)
alert tcp $HOME_NET any -> [192.162.244.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201735; rev:1;)
alert tcp $HOME_NET any -> [24.119.69.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201736; rev:1;)
alert tcp $HOME_NET any -> [92.223.105.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201737; rev:1;)
alert tcp $HOME_NET any -> [188.227.18.135] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201738; rev:1;)
alert tcp $HOME_NET any -> [185.183.96.145] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201739; rev:1;)
alert tcp $HOME_NET any -> [76.181.182.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201740; rev:1;)
alert tcp $HOME_NET any -> [174.105.233.82] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201741; rev:1;)
alert tcp $HOME_NET any -> [54.39.218.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201742; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.73] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201743; rev:1;)
alert tcp $HOME_NET any -> [54.39.218.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201744; rev:1;)
alert tcp $HOME_NET any -> [192.48.88.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201745; rev:1;)
alert tcp $HOME_NET any -> [192.48.88.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201746; rev:1;)
alert tcp $HOME_NET any -> [144.217.37.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201747; rev:1;)
alert tcp $HOME_NET any -> [66.70.205.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201748; rev:1;)
alert tcp $HOME_NET any -> [205.157.150.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201749; rev:1;)
alert tcp $HOME_NET any -> [207.140.14.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201750; rev:1;)
alert tcp $HOME_NET any -> [71.193.151.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201751; rev:1;)
alert tcp $HOME_NET any -> [67.49.38.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201752; rev:1;)
alert tcp $HOME_NET any -> [73.67.78.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201753; rev:1;)
alert tcp $HOME_NET any -> [47.254.153.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201754; rev:1;)
alert tcp $HOME_NET any -> [68.4.173.10] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201755; rev:1;)
alert tcp $HOME_NET any -> [140.190.54.187] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201756; rev:1;)
alert tcp $HOME_NET any -> [54.39.81.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201757; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.87] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201758; rev:1;)
alert tcp $HOME_NET any -> [178.162.132.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201759; rev:1;)
alert tcp $HOME_NET any -> [185.121.166.26] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201760; rev:1;)
alert tcp $HOME_NET any -> [185.127.27.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201761; rev:1;)
alert tcp $HOME_NET any -> [185.48.57.117] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201762; rev:1;)
alert tcp $HOME_NET any -> [83.217.10.56] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201763; rev:1;)
alert tcp $HOME_NET any -> [81.177.135.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201764; rev:1;)
alert tcp $HOME_NET any -> [54.39.81.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201765; rev:1;)
alert tcp $HOME_NET any -> [185.86.151.152] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201766; rev:1;)
alert tcp $HOME_NET any -> [193.183.98.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201767; rev:1;)
alert tcp $HOME_NET any -> [185.144.29.92] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201768; rev:1;)
alert tcp $HOME_NET any -> [85.143.220.184] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201769; rev:1;)
alert tcp $HOME_NET any -> [68.3.14.71] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201770; rev:1;)
alert tcp $HOME_NET any -> [69.57.26.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201771; rev:1;)
alert tcp $HOME_NET any -> [185.117.72.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201772; rev:1;)
alert tcp $HOME_NET any -> [95.215.44.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201773; rev:1;)
alert tcp $HOME_NET any -> [54.39.74.123] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201774; rev:1;)
alert tcp $HOME_NET any -> [185.45.193.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201775; rev:1;)
alert tcp $HOME_NET any -> [95.181.179.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201776; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.20] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201777; rev:1;)
alert tcp $HOME_NET any -> [190.181.235.50] 10134 (msg:"SSLBL: Traffic to malicious host (likely OrcusRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201778; rev:1;)
alert tcp $HOME_NET any -> [80.87.193.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201779; rev:1;)
alert tcp $HOME_NET any -> [185.94.96.226] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201780; rev:1;)
alert tcp $HOME_NET any -> [94.140.125.232] 8443 (msg:"SSLBL: Traffic to malicious host (likely CoinMiner C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201781; rev:1;)
alert tcp $HOME_NET any -> [192.42.119.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201782; rev:1;)
alert tcp $HOME_NET any -> [185.92.74.67] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201783; rev:1;)
alert tcp $HOME_NET any -> [95.179.144.131] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201784; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.171] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201785; rev:1;)
alert tcp $HOME_NET any -> [46.36.220.116] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201786; rev:1;)
alert tcp $HOME_NET any -> [185.68.93.59] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201787; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201788; rev:1;)
alert tcp $HOME_NET any -> [98.177.188.224] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201789; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.86] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201790; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201791; rev:1;)
alert tcp $HOME_NET any -> [198.46.207.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201792; rev:1;)
alert tcp $HOME_NET any -> [104.236.212.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201793; rev:1;)
alert tcp $HOME_NET any -> [185.77.129.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201794; rev:1;)
alert tcp $HOME_NET any -> [68.45.243.125] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201795; rev:1;)
alert tcp $HOME_NET any -> [71.94.101.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201796; rev:1;)
alert tcp $HOME_NET any -> [92.38.130.63] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201797; rev:1;)
alert tcp $HOME_NET any -> [110.232.86.52] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201798; rev:1;)
alert tcp $HOME_NET any -> [51.68.184.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201799; rev:1;)
alert tcp $HOME_NET any -> [136.243.189.204] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201800; rev:1;)
alert tcp $HOME_NET any -> [185.251.38.178] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201801; rev:1;)
alert tcp $HOME_NET any -> [37.235.251.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201802; rev:1;)
alert tcp $HOME_NET any -> [95.181.179.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201803; rev:1;)
alert tcp $HOME_NET any -> [5.2.67.212] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201804; rev:1;)
alert tcp $HOME_NET any -> [93.189.43.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201805; rev:1;)
alert tcp $HOME_NET any -> [185.17.123.248] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201806; rev:1;)
alert tcp $HOME_NET any -> [54.39.175.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201807; rev:1;)
alert tcp $HOME_NET any -> [186.47.103.226] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201808; rev:1;)
alert tcp $HOME_NET any -> [107.175.127.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201809; rev:1;)
alert tcp $HOME_NET any -> [185.189.132.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201810; rev:1;)
alert tcp $HOME_NET any -> [185.231.154.40] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201811; rev:1;)
alert tcp $HOME_NET any -> [185.94.99.7] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201812; rev:1;)
alert tcp $HOME_NET any -> [54.39.124.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201813; rev:1;)
alert tcp $HOME_NET any -> [46.105.131.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201814; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.120] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201815; rev:1;)
alert tcp $HOME_NET any -> [93.170.105.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201816; rev:1;)
alert tcp $HOME_NET any -> [5.104.41.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201817; rev:1;)
alert tcp $HOME_NET any -> [202.137.121.14] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201818; rev:1;)
alert tcp $HOME_NET any -> [185.251.39.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201819; rev:1;)
alert tcp $HOME_NET any -> [185.161.211.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201820; rev:1;)
alert tcp $HOME_NET any -> [31.31.161.165] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201821; rev:1;)
alert tcp $HOME_NET any -> [54.39.167.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201822; rev:1;)
alert tcp $HOME_NET any -> [185.246.153.252] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201823; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201824; rev:1;)
alert tcp $HOME_NET any -> [185.221.153.27] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201825; rev:1;)
alert tcp $HOME_NET any -> [212.23.70.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201826; rev:1;)
alert tcp $HOME_NET any -> [87.121.98.37] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201827; rev:1;)
alert tcp $HOME_NET any -> [190.145.74.84] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201828; rev:1;)
alert tcp $HOME_NET any -> [31.179.162.86] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201829; rev:1;)
alert tcp $HOME_NET any -> [167.114.13.91] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201830; rev:1;)
alert tcp $HOME_NET any -> [179.127.254.196] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201831; rev:1;)
alert tcp $HOME_NET any -> [193.187.91.238] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201832; rev:1;)
alert tcp $HOME_NET any -> [187.190.249.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201833; rev:1;)
alert tcp $HOME_NET any -> [71.13.140.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201834; rev:1;)
alert tcp $HOME_NET any -> [169.1.39.89] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201835; rev:1;)
alert tcp $HOME_NET any -> [142.44.207.84] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201836; rev:1;)
alert tcp $HOME_NET any -> [173.239.128.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201837; rev:1;)
alert tcp $HOME_NET any -> [105.27.171.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201838; rev:1;)
alert tcp $HOME_NET any -> [91.235.136.114] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201839; rev:1;)
alert tcp $HOME_NET any -> [185.86.150.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201840; rev:1;)
alert tcp $HOME_NET any -> [42.115.91.177] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201841; rev:1;)
alert tcp $HOME_NET any -> [185.66.227.183] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201842; rev:1;)
alert tcp $HOME_NET any -> [181.113.17.230] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201843; rev:1;)
alert tcp $HOME_NET any -> [198.100.157.163] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201844; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.15] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201845; rev:1;)
alert tcp $HOME_NET any -> [115.78.3.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201846; rev:1;)
alert tcp $HOME_NET any -> [103.110.91.118] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201847; rev:1;)
alert tcp $HOME_NET any -> [193.187.91.243] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201848; rev:1;)
alert tcp $HOME_NET any -> [170.81.32.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201849; rev:1;)
alert tcp $HOME_NET any -> [217.147.170.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201850; rev:1;)
alert tcp $HOME_NET any -> [70.48.101.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201851; rev:1;)
alert tcp $HOME_NET any -> [103.10.145.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201852; rev:1;)
alert tcp $HOME_NET any -> [23.226.138.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201853; rev:1;)
alert tcp $HOME_NET any -> [185.205.209.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201854; rev:1;)
alert tcp $HOME_NET any -> [185.173.94.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201855; rev:1;)
alert tcp $HOME_NET any -> [185.154.21.160] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201856; rev:1;)
alert tcp $HOME_NET any -> [81.19.210.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201857; rev:1;)
alert tcp $HOME_NET any -> [185.147.237.35] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201858; rev:1;)
alert tcp $HOME_NET any -> [185.77.129.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201859; rev:1;)
alert tcp $HOME_NET any -> [128.201.92.41] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201860; rev:1;)
alert tcp $HOME_NET any -> [81.0.118.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201861; rev:1;)
alert tcp $HOME_NET any -> [185.63.190.149] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201862; rev:1;)
alert tcp $HOME_NET any -> [192.48.88.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201863; rev:1;)
alert tcp $HOME_NET any -> [66.229.97.133] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201864; rev:1;)
alert tcp $HOME_NET any -> [185.62.189.148] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201865; rev:1;)
alert tcp $HOME_NET any -> [182.50.64.148] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201866; rev:1;)
alert tcp $HOME_NET any -> [223.25.64.119] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201867; rev:1;)
alert tcp $HOME_NET any -> [93.189.46.215] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201868; rev:1;)
alert tcp $HOME_NET any -> [145.249.107.72] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201869; rev:1;)
alert tcp $HOME_NET any -> [92.38.132.51] 80 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201870; rev:1;)
alert tcp $HOME_NET any -> [92.38.132.51] 443 (msg:"SSLBL: Traffic to malicious host (likely AZORult C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201871; rev:1;)
alert tcp $HOME_NET any -> [82.222.40.119] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201872; rev:1;)
alert tcp $HOME_NET any -> [192.252.209.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201873; rev:1;)
alert tcp $HOME_NET any -> [116.212.152.12] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201874; rev:1;)
alert tcp $HOME_NET any -> [144.121.143.129] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201875; rev:1;)
alert tcp $HOME_NET any -> [192.188.120.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201876; rev:1;)
alert tcp $HOME_NET any -> [97.78.222.18] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201877; rev:1;)
alert tcp $HOME_NET any -> [47.74.44.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201878; rev:1;)
alert tcp $HOME_NET any -> [118.97.119.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201879; rev:1;)
alert tcp $HOME_NET any -> [185.42.52.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201880; rev:1;)
alert tcp $HOME_NET any -> [94.232.20.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201881; rev:1;)
alert tcp $HOME_NET any -> [95.154.80.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201882; rev:1;)
alert tcp $HOME_NET any -> [185.200.60.138] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201883; rev:1;)
alert tcp $HOME_NET any -> [197.232.243.36] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201884; rev:1;)
alert tcp $HOME_NET any -> [94.181.47.198] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201885; rev:1;)
alert tcp $HOME_NET any -> [103.111.53.126] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201886; rev:1;)
alert tcp $HOME_NET any -> [89.223.94.240] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201887; rev:1;)
alert tcp $HOME_NET any -> [23.94.41.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201888; rev:1;)
alert tcp $HOME_NET any -> [103.111.55.218] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201889; rev:1;)
alert tcp $HOME_NET any -> [181.174.112.74] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201890; rev:1;)
alert tcp $HOME_NET any -> [46.149.182.112] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201891; rev:1;)
alert tcp $HOME_NET any -> [140.82.24.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201892; rev:1;)
alert tcp $HOME_NET any -> [182.253.20.66] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201893; rev:1;)
alert tcp $HOME_NET any -> [67.79.15.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201894; rev:1;)
alert tcp $HOME_NET any -> [121.58.242.206] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201895; rev:1;)
alert tcp $HOME_NET any -> [62.141.94.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201896; rev:1;)
alert tcp $HOME_NET any -> [77.222.55.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201897; rev:1;)
alert tcp $HOME_NET any -> [104.254.10.200] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201898; rev:1;)
alert tcp $HOME_NET any -> [91.201.65.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201899; rev:1;)
alert tcp $HOME_NET any -> [81.17.86.112] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201900; rev:1;)
alert tcp $HOME_NET any -> [109.173.104.236] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201901; rev:1;)
alert tcp $HOME_NET any -> [31.220.45.151] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201902; rev:1;)
alert tcp $HOME_NET any -> [185.45.193.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201903; rev:1;)
alert tcp $HOME_NET any -> [172.245.210.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201904; rev:1;)
alert tcp $HOME_NET any -> [172.245.210.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201905; rev:1;)
alert tcp $HOME_NET any -> [185.214.10.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201906; rev:1;)
alert tcp $HOME_NET any -> [197.232.50.85] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201907; rev:1;)
alert tcp $HOME_NET any -> [92.38.132.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201908; rev:1;)
alert tcp $HOME_NET any -> [93.189.41.44] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201909; rev:1;)
alert tcp $HOME_NET any -> [185.159.82.131] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201910; rev:1;)
alert tcp $HOME_NET any -> [185.231.153.228] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201911; rev:1;)
alert tcp $HOME_NET any -> [185.61.138.181] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201912; rev:1;)
alert tcp $HOME_NET any -> [91.217.90.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201913; rev:1;)
alert tcp $HOME_NET any -> [195.254.227.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201914; rev:1;)
alert tcp $HOME_NET any -> [178.116.83.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201915; rev:1;)
alert tcp $HOME_NET any -> [111.220.125.141] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201916; rev:1;)
alert tcp $HOME_NET any -> [88.87.231.162] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201917; rev:1;)
alert tcp $HOME_NET any -> [93.189.41.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201918; rev:1;)
alert tcp $HOME_NET any -> [195.123.216.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201919; rev:1;)
alert tcp $HOME_NET any -> [185.212.131.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201920; rev:1;)
alert tcp $HOME_NET any -> [178.132.7.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201921; rev:1;)
alert tcp $HOME_NET any -> [185.15.208.110] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201922; rev:1;)
alert tcp $HOME_NET any -> [5.135.252.103] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201923; rev:1;)
alert tcp $HOME_NET any -> [47.49.168.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201924; rev:1;)
alert tcp $HOME_NET any -> [41.211.9.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201925; rev:1;)
alert tcp $HOME_NET any -> [176.10.170.65] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201926; rev:1;)
alert tcp $HOME_NET any -> [51.68.188.128] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201927; rev:1;)
alert tcp $HOME_NET any -> [185.75.90.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201928; rev:1;)
alert tcp $HOME_NET any -> [68.169.161.5] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201929; rev:1;)
alert tcp $HOME_NET any -> [96.43.40.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201930; rev:1;)
alert tcp $HOME_NET any -> [47.254.192.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201931; rev:1;)
alert tcp $HOME_NET any -> [94.142.138.211] 443 (msg:"SSLBL: Traffic to malicious host (likely AgentTesla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201932; rev:1;)
alert tcp $HOME_NET any -> [36.67.215.93] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201933; rev:1;)
alert tcp $HOME_NET any -> [95.142.40.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201934; rev:1;)
alert tcp $HOME_NET any -> [212.225.214.249] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201935; rev:1;)
alert tcp $HOME_NET any -> [180.241.112.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201936; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201937; rev:1;)
alert tcp $HOME_NET any -> [185.62.188.207] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201938; rev:1;)
alert tcp $HOME_NET any -> [143.202.145.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201939; rev:1;)
alert tcp $HOME_NET any -> [5.188.52.204] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201940; rev:1;)
alert tcp $HOME_NET any -> [93.170.123.68] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201941; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.52] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201942; rev:1;)
alert tcp $HOME_NET any -> [185.163.100.30] 8789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201943; rev:1;)
alert tcp $HOME_NET any -> [24.231.0.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201944; rev:1;)
alert tcp $HOME_NET any -> [149.129.223.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Godzilla C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201945; rev:1;)
alert tcp $HOME_NET any -> [192.42.116.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201946; rev:1;)
alert tcp $HOME_NET any -> [84.237.228.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201947; rev:1;)
alert tcp $HOME_NET any -> [85.9.212.117] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201948; rev:1;)
alert tcp $HOME_NET any -> [198.53.63.120] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201949; rev:1;)
alert tcp $HOME_NET any -> [185.121.166.77] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201950; rev:1;)
alert tcp $HOME_NET any -> [185.60.133.246] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201951; rev:1;)
alert tcp $HOME_NET any -> [68.109.83.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201952; rev:1;)
alert tcp $HOME_NET any -> [87.117.146.63] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201953; rev:1;)
alert tcp $HOME_NET any -> [92.38.135.168] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201954; rev:1;)
alert tcp $HOME_NET any -> [83.167.164.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201955; rev:1;)
alert tcp $HOME_NET any -> [91.214.119.37] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201956; rev:1;)
alert tcp $HOME_NET any -> [149.129.129.193] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201957; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.52] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201958; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.56] 8511 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201959; rev:1;)
alert tcp $HOME_NET any -> [185.121.166.106] 2112 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201960; rev:1;)
alert tcp $HOME_NET any -> [185.67.0.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201961; rev:1;)
alert tcp $HOME_NET any -> [118.200.151.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201962; rev:1;)
alert tcp $HOME_NET any -> [184.68.167.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201963; rev:1;)
alert tcp $HOME_NET any -> [96.31.109.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201964; rev:1;)
alert tcp $HOME_NET any -> [185.206.146.75] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201965; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.69] 3030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201966; rev:1;)
alert tcp $HOME_NET any -> [82.202.166.170] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201967; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.38] 1555 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201968; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.50] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201969; rev:1;)
alert tcp $HOME_NET any -> [178.209.42.109] 4299 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201970; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.35] 2808 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201971; rev:1;)
alert tcp $HOME_NET any -> [198.12.90.76] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201972; rev:1;)
alert tcp $HOME_NET any -> [185.141.61.111] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201973; rev:1;)
alert tcp $HOME_NET any -> [185.128.24.20] 2679 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201974; rev:1;)
alert tcp $HOME_NET any -> [185.174.172.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201975; rev:1;)
alert tcp $HOME_NET any -> [185.16.41.172] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201976; rev:1;)
alert tcp $HOME_NET any -> [185.159.80.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201977; rev:1;)
alert tcp $HOME_NET any -> [5.188.228.47] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201978; rev:1;)
alert tcp $HOME_NET any -> [213.152.161.234] 15086 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201979; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.72] 20 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201980; rev:1;)
alert tcp $HOME_NET any -> [70.79.178.120] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201981; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.59] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201982; rev:1;)
alert tcp $HOME_NET any -> [62.113.238.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201983; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.109] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201984; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.39] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201985; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.112] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201986; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.3] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201987; rev:1;)
alert tcp $HOME_NET any -> [185.4.29.236] 8057 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201988; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.37] 4041 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201989; rev:1;)
alert tcp $HOME_NET any -> [110.10.176.124] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201990; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.69] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201991; rev:1;)
alert tcp $HOME_NET any -> [185.135.83.35] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201992; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.132] 6654 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201993; rev:1;)
alert tcp $HOME_NET any -> [212.83.61.213] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201994; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.103] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201995; rev:1;)
alert tcp $HOME_NET any -> [208.78.58.170] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201996; rev:1;)
alert tcp $HOME_NET any -> [178.78.202.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201997; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.35] 1986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201998; rev:1;)
alert tcp $HOME_NET any -> [185.224.249.29] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905201999; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202000; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.87] 7600 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202001; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.70] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202002; rev:1;)
alert tcp $HOME_NET any -> [89.117.107.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202003; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.41] 7720 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202004; rev:1;)
alert tcp $HOME_NET any -> [194.68.23.182] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202005; rev:1;)
alert tcp $HOME_NET any -> [185.129.193.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202006; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.73] 33524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202007; rev:1;)
alert tcp $HOME_NET any -> [201.174.70.238] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202008; rev:1;)
alert tcp $HOME_NET any -> [90.69.224.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202009; rev:1;)
alert tcp $HOME_NET any -> [89.105.194.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202010; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.73] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202011; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.19] 4045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202012; rev:1;)
alert tcp $HOME_NET any -> [95.181.179.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202013; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.56] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202014; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.51] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202015; rev:1;)
alert tcp $HOME_NET any -> [45.56.2.247] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202016; rev:1;)
alert tcp $HOME_NET any -> [185.148.145.197] 2672 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202017; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.27] 1373 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202018; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.173] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202019; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.215] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202020; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.35] 3885 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202021; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.79] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202022; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202023; rev:1;)
alert tcp $HOME_NET any -> [73.107.42.28] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202024; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.49] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202025; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.49] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202026; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.44] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202027; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.36] 7748 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202028; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.86] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202029; rev:1;)
alert tcp $HOME_NET any -> [5.188.232.238] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202030; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.45] 5007 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202031; rev:1;)
alert tcp $HOME_NET any -> [47.40.90.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202032; rev:1;)
alert tcp $HOME_NET any -> [67.159.157.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202033; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.176] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202034; rev:1;)
alert tcp $HOME_NET any -> [151.106.30.239] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202035; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.4] 1918 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202036; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.22] 8420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202037; rev:1;)
alert tcp $HOME_NET any -> [187.163.215.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202038; rev:1;)
alert tcp $HOME_NET any -> [91.227.16.125] 443 (msg:"SSLBL: Traffic to malicious host (likely PlugX C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202039; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.208] 7734 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202040; rev:1;)
alert tcp $HOME_NET any -> [138.34.32.74] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202041; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.9] 1153 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202042; rev:1;)
alert tcp $HOME_NET any -> [45.32.235.225] 1983 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202043; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.39] 5786 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202044; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.42] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202045; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.211] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202046; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.12] 2097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202047; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.33] 2343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202048; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.188] 665 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202049; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.75] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202050; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.43] 8890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202051; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.139] 4040 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202052; rev:1;)
alert tcp $HOME_NET any -> [185.115.32.166] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202053; rev:1;)
alert tcp $HOME_NET any -> [200.2.126.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202054; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.68] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202055; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.182] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202056; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.16] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202057; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.183] 90 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202058; rev:1;)
alert tcp $HOME_NET any -> [62.31.150.202] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202059; rev:1;)
alert tcp $HOME_NET any -> [86.61.177.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202060; rev:1;)
alert tcp $HOME_NET any -> [213.183.59.130] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202061; rev:1;)
alert tcp $HOME_NET any -> [181.174.165.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202062; rev:1;)
alert tcp $HOME_NET any -> [144.76.237.29] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202063; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.58] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202064; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.67] 6969 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202065; rev:1;)
alert tcp $HOME_NET any -> [138.34.32.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202066; rev:1;)
alert tcp $HOME_NET any -> [41.211.9.226] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202067; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.137] 4546 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202068; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.75] 7219 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202069; rev:1;)
alert tcp $HOME_NET any -> [36.74.100.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202070; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.202] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202071; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.65] 7177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202072; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.50] 2311 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202073; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.41] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202074; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.186] 6420 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202075; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.66] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202076; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.53] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202077; rev:1;)
alert tcp $HOME_NET any -> [188.124.167.132] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202078; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.180] 7890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202079; rev:1;)
alert tcp $HOME_NET any -> [46.21.154.83] 14486 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202080; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.180] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202081; rev:1;)
alert tcp $HOME_NET any -> [204.16.247.51] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202082; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.2] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202083; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.218] 7751 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202084; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.89] 2543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202085; rev:1;)
alert tcp $HOME_NET any -> [66.98.121.192] 5555 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202086; rev:1;)
alert tcp $HOME_NET any -> [206.123.145.108] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202087; rev:1;)
alert tcp $HOME_NET any -> [155.133.31.21] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202088; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.64] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202089; rev:1;)
alert tcp $HOME_NET any -> [104.247.219.27] 1717 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202090; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.51] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202091; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.76] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202092; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.181] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202093; rev:1;)
alert tcp $HOME_NET any -> [87.255.24.238] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202094; rev:1;)
alert tcp $HOME_NET any -> [85.143.202.82] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202095; rev:1;)
alert tcp $HOME_NET any -> [182.253.210.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202096; rev:1;)
alert tcp $HOME_NET any -> [77.246.158.28] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202097; rev:1;)
alert tcp $HOME_NET any -> [24.228.185.224] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202098; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.51] 3011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202099; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.183] 5888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202100; rev:1;)
alert tcp $HOME_NET any -> [190.4.189.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202101; rev:1;)
alert tcp $HOME_NET any -> [200.111.167.227] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202102; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.65] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202103; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.208] 20903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202104; rev:1;)
alert tcp $HOME_NET any -> [103.43.75.105] 1972 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202105; rev:1;)
alert tcp $HOME_NET any -> [158.58.131.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202106; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.66] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202107; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.139] 1864 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202108; rev:1;)
alert tcp $HOME_NET any -> [46.47.50.44] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202109; rev:1;)
alert tcp $HOME_NET any -> [185.141.62.100] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202110; rev:1;)
alert tcp $HOME_NET any -> [46.173.218.66] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202111; rev:1;)
alert tcp $HOME_NET any -> [109.234.35.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202112; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.59] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202113; rev:1;)
alert tcp $HOME_NET any -> [185.168.185.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202114; rev:1;)
alert tcp $HOME_NET any -> [190.7.199.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202115; rev:1;)
alert tcp $HOME_NET any -> [93.109.242.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202116; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.69] 6897 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202117; rev:1;)
alert tcp $HOME_NET any -> [65.30.201.40] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202118; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.162] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202119; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.188] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202120; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.199] 8773 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202121; rev:1;)
alert tcp $HOME_NET any -> [185.117.75.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202122; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.57] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202123; rev:1;)
alert tcp $HOME_NET any -> [185.125.205.70] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202124; rev:1;)
alert tcp $HOME_NET any -> [198.50.170.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202125; rev:1;)
alert tcp $HOME_NET any -> [109.86.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202126; rev:1;)
alert tcp $HOME_NET any -> [93.170.123.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202127; rev:1;)
alert tcp $HOME_NET any -> [66.232.212.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202128; rev:1;)
alert tcp $HOME_NET any -> [83.168.83.29] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202129; rev:1;)
alert tcp $HOME_NET any -> [80.53.57.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202130; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.69] 7791 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202131; rev:1;)
alert tcp $HOME_NET any -> [85.143.174.206] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202132; rev:1;)
alert tcp $HOME_NET any -> [71.85.72.9] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202133; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.55] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202134; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.52] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202135; rev:1;)
alert tcp $HOME_NET any -> [209.121.142.214] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202136; rev:1;)
alert tcp $HOME_NET any -> [185.48.56.134] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202137; rev:1;)
alert tcp $HOME_NET any -> [5.187.0.158] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202138; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.41] 6540 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202139; rev:1;)
alert tcp $HOME_NET any -> [172.94.47.7] 6014 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202140; rev:1;)
alert tcp $HOME_NET any -> [74.118.139.79] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202141; rev:1;)
alert tcp $HOME_NET any -> [109.234.35.166] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202142; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.36] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202143; rev:1;)
alert tcp $HOME_NET any -> [185.220.68.230] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202144; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.72] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202145; rev:1;)
alert tcp $HOME_NET any -> [154.127.59.97] 1780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202146; rev:1;)
alert tcp $HOME_NET any -> [185.180.198.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202147; rev:1;)
alert tcp $HOME_NET any -> [185.159.130.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202148; rev:1;)
alert tcp $HOME_NET any -> [46.72.175.17] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202149; rev:1;)
alert tcp $HOME_NET any -> [172.81.133.35] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202150; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.186] 6022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202151; rev:1;)
alert tcp $HOME_NET any -> [185.51.247.169] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202152; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.36] 2071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202153; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.182] 7063 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202154; rev:1;)
alert tcp $HOME_NET any -> [92.55.251.211] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202155; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.60] 586 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202156; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.5] 2442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202157; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.53] 2557 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202158; rev:1;)
alert tcp $HOME_NET any -> [94.112.52.197] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202159; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.180] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202160; rev:1;)
alert tcp $HOME_NET any -> [185.243.131.171] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202161; rev:1;)
alert tcp $HOME_NET any -> [80.87.195.247] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202162; rev:1;)
alert tcp $HOME_NET any -> [46.243.179.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202163; rev:1;)
alert tcp $HOME_NET any -> [62.109.18.210] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202164; rev:1;)
alert tcp $HOME_NET any -> [185.174.172.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202165; rev:1;)
alert tcp $HOME_NET any -> [208.75.117.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202166; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.66] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202167; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.71] 7171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202168; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.169] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202169; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.156] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202170; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.24] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202171; rev:1;)
alert tcp $HOME_NET any -> [92.53.66.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202172; rev:1;)
alert tcp $HOME_NET any -> [209.121.142.202] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202173; rev:1;)
alert tcp $HOME_NET any -> [203.86.222.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202174; rev:1;)
alert tcp $HOME_NET any -> [82.202.236.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202175; rev:1;)
alert tcp $HOME_NET any -> [185.249.255.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202176; rev:1;)
alert tcp $HOME_NET any -> [144.48.51.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202177; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.48] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202178; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.181] 5541 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202179; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.102] 3661 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202180; rev:1;)
alert tcp $HOME_NET any -> [195.54.162.77] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202181; rev:1;)
alert tcp $HOME_NET any -> [185.159.129.149] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202182; rev:1;)
alert tcp $HOME_NET any -> [107.144.49.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202183; rev:1;)
alert tcp $HOME_NET any -> [109.234.37.89] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202184; rev:1;)
alert tcp $HOME_NET any -> [185.148.241.35] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202185; rev:1;)
alert tcp $HOME_NET any -> [194.87.238.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202186; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.69] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202187; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.11] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202188; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.70] 3288 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202189; rev:1;)
alert tcp $HOME_NET any -> [5.102.177.205] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202190; rev:1;)
alert tcp $HOME_NET any -> [85.217.170.201] 4535 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202191; rev:1;)
alert tcp $HOME_NET any -> [85.143.214.226] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202192; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.186] 3821 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202193; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.72] 8970 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202194; rev:1;)
alert tcp $HOME_NET any -> [37.230.112.67] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202195; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.64] 7366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202196; rev:1;)
alert tcp $HOME_NET any -> [185.159.128.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202197; rev:1;)
alert tcp $HOME_NET any -> [80.87.195.120] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202198; rev:1;)
alert tcp $HOME_NET any -> [162.244.32.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202199; rev:1;)
alert tcp $HOME_NET any -> [68.227.31.46] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202200; rev:1;)
alert tcp $HOME_NET any -> [81.177.255.76] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202201; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.161] 8475 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202202; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.33] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202203; rev:1;)
alert tcp $HOME_NET any -> [185.174.175.14] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202204; rev:1;)
alert tcp $HOME_NET any -> [92.53.67.190] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202205; rev:1;)
alert tcp $HOME_NET any -> [185.4.29.143] 7962 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202206; rev:1;)
alert tcp $HOME_NET any -> [185.68.93.12] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202207; rev:1;)
alert tcp $HOME_NET any -> [212.92.98.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202208; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.71] 4181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202209; rev:1;)
alert tcp $HOME_NET any -> [188.209.52.62] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202210; rev:1;)
alert tcp $HOME_NET any -> [95.161.180.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202211; rev:1;)
alert tcp $HOME_NET any -> [203.86.222.142] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202212; rev:1;)
alert tcp $HOME_NET any -> [46.21.249.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202213; rev:1;)
alert tcp $HOME_NET any -> [191.6.18.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202214; rev:1;)
alert tcp $HOME_NET any -> [185.236.130.126] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202215; rev:1;)
alert tcp $HOME_NET any -> [193.233.62.145] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202216; rev:1;)
alert tcp $HOME_NET any -> [193.0.179.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202217; rev:1;)
alert tcp $HOME_NET any -> [89.37.226.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202218; rev:1;)
alert tcp $HOME_NET any -> [144.48.51.8] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202219; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202220; rev:1;)
alert tcp $HOME_NET any -> [194.87.111.48] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202221; rev:1;)
alert tcp $HOME_NET any -> [86.105.1.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202222; rev:1;)
alert tcp $HOME_NET any -> [172.86.120.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202223; rev:1;)
alert tcp $HOME_NET any -> [92.53.91.229] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202224; rev:1;)
alert tcp $HOME_NET any -> [82.146.62.102] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202225; rev:1;)
alert tcp $HOME_NET any -> [195.133.48.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202226; rev:1;)
alert tcp $HOME_NET any -> [109.95.114.28] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202227; rev:1;)
alert tcp $HOME_NET any -> [195.123.237.208] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202228; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.185] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202229; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.133] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202230; rev:1;)
alert tcp $HOME_NET any -> [185.249.255.172] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202231; rev:1;)
alert tcp $HOME_NET any -> [78.155.199.161] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202232; rev:1;)
alert tcp $HOME_NET any -> [179.107.89.145] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202233; rev:1;)
alert tcp $HOME_NET any -> [185.42.192.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202234; rev:1;)
alert tcp $HOME_NET any -> [185.159.128.224] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202235; rev:1;)
alert tcp $HOME_NET any -> [173.220.6.194] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202236; rev:1;)
alert tcp $HOME_NET any -> [95.213.252.243] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202237; rev:1;)
alert tcp $HOME_NET any -> [68.96.73.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202238; rev:1;)
alert tcp $HOME_NET any -> [185.223.95.66] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202239; rev:1;)
alert tcp $HOME_NET any -> [46.20.207.204] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202240; rev:1;)
alert tcp $HOME_NET any -> [195.136.226.11] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202241; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.128] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202242; rev:1;)
alert tcp $HOME_NET any -> [94.103.81.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202243; rev:1;)
alert tcp $HOME_NET any -> [185.223.95.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202244; rev:1;)
alert tcp $HOME_NET any -> [95.213.204.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202245; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.106] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202246; rev:1;)
alert tcp $HOME_NET any -> [91.206.4.216] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202247; rev:1;)
alert tcp $HOME_NET any -> [185.228.232.218] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202248; rev:1;)
alert tcp $HOME_NET any -> [137.74.159.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202249; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.23] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202250; rev:1;)
alert tcp $HOME_NET any -> [86.105.1.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202251; rev:1;)
alert tcp $HOME_NET any -> [70.91.134.61] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202252; rev:1;)
alert tcp $HOME_NET any -> [130.180.89.70] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202253; rev:1;)
alert tcp $HOME_NET any -> [94.103.80.27] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202254; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202255; rev:1;)
alert tcp $HOME_NET any -> [176.122.20.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202256; rev:1;)
alert tcp $HOME_NET any -> [91.243.80.109] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202257; rev:1;)
alert tcp $HOME_NET any -> [109.234.39.242] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202258; rev:1;)
alert tcp $HOME_NET any -> [85.143.173.177] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202259; rev:1;)
alert tcp $HOME_NET any -> [185.159.129.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202260; rev:1;)
alert tcp $HOME_NET any -> [109.234.37.114] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202261; rev:1;)
alert tcp $HOME_NET any -> [90.63.223.63] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202262; rev:1;)
alert tcp $HOME_NET any -> [185.26.174.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202263; rev:1;)
alert tcp $HOME_NET any -> [37.230.114.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202264; rev:1;)
alert tcp $HOME_NET any -> [176.121.215.149] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202265; rev:1;)
alert tcp $HOME_NET any -> [94.103.82.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202266; rev:1;)
alert tcp $HOME_NET any -> [185.243.131.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202267; rev:1;)
alert tcp $HOME_NET any -> [85.143.214.12] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202268; rev:1;)
alert tcp $HOME_NET any -> [93.181.186.127] 451 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202269; rev:1;)
alert tcp $HOME_NET any -> [95.213.252.10] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202270; rev:1;)
alert tcp $HOME_NET any -> [65.123.48.221] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202271; rev:1;)
alert tcp $HOME_NET any -> [92.53.78.213] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202272; rev:1;)
alert tcp $HOME_NET any -> [69.122.117.95] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202273; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.186] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202274; rev:1;)
alert tcp $HOME_NET any -> [146.185.254.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202275; rev:1;)
alert tcp $HOME_NET any -> [85.143.222.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202276; rev:1;)
alert tcp $HOME_NET any -> [189.84.125.37] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202277; rev:1;)
alert tcp $HOME_NET any -> [185.249.254.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202278; rev:1;)
alert tcp $HOME_NET any -> [94.103.82.65] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202279; rev:1;)
alert tcp $HOME_NET any -> [89.37.56.24] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202280; rev:1;)
alert tcp $HOME_NET any -> [185.159.128.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202281; rev:1;)
alert tcp $HOME_NET any -> [207.140.15.87] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202282; rev:1;)
alert tcp $HOME_NET any -> [89.223.24.221] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202283; rev:1;)
alert tcp $HOME_NET any -> [86.23.59.198] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202284; rev:1;)
alert tcp $HOME_NET any -> [92.53.91.229] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202285; rev:1;)
alert tcp $HOME_NET any -> [195.133.196.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202286; rev:1;)
alert tcp $HOME_NET any -> [185.26.174.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202287; rev:1;)
alert tcp $HOME_NET any -> [193.233.62.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202288; rev:1;)
alert tcp $HOME_NET any -> [195.123.216.102] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202289; rev:1;)
alert tcp $HOME_NET any -> [85.143.221.60] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202290; rev:1;)
alert tcp $HOME_NET any -> [185.158.155.56] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202291; rev:1;)
alert tcp $HOME_NET any -> [195.133.147.9] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202292; rev:1;)
alert tcp $HOME_NET any -> [31.41.81.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202293; rev:1;)
alert tcp $HOME_NET any -> [78.155.206.228] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202294; rev:1;)
alert tcp $HOME_NET any -> [192.225.226.15] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202295; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.199] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202296; rev:1;)
alert tcp $HOME_NET any -> [94.230.20.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202297; rev:1;)
alert tcp $HOME_NET any -> [95.213.235.54] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202298; rev:1;)
alert tcp $HOME_NET any -> [109.234.35.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202299; rev:1;)
alert tcp $HOME_NET any -> [31.134.52.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202300; rev:1;)
alert tcp $HOME_NET any -> [185.159.128.75] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202301; rev:1;)
alert tcp $HOME_NET any -> [185.174.173.116] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202302; rev:1;)
alert tcp $HOME_NET any -> [93.181.186.127] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202303; rev:1;)
alert tcp $HOME_NET any -> [185.56.90.77] 19000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202304; rev:1;)
alert tcp $HOME_NET any -> [185.228.232.14] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202305; rev:1;)
alert tcp $HOME_NET any -> [95.181.179.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202306; rev:1;)
alert tcp $HOME_NET any -> [192.95.35.78] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202307; rev:1;)
alert tcp $HOME_NET any -> [178.32.52.15] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202308; rev:1;)
alert tcp $HOME_NET any -> [31.131.27.106] 447 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202309; rev:1;)
alert tcp $HOME_NET any -> [82.146.59.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Trickbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202310; rev:1;)
alert tcp $HOME_NET any -> [85.222.109.54] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202311; rev:1;)
alert tcp $HOME_NET any -> [195.123.213.188] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202312; rev:1;)
alert tcp $HOME_NET any -> [93.95.97.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202313; rev:1;)
alert tcp $HOME_NET any -> [188.227.72.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202314; rev:1;)
alert tcp $HOME_NET any -> [92.53.78.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202315; rev:1;)
alert tcp $HOME_NET any -> [185.228.232.215] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202316; rev:1;)
alert tcp $HOME_NET any -> [109.95.113.130] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202317; rev:1;)
alert tcp $HOME_NET any -> [199.247.31.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202318; rev:1;)
alert tcp $HOME_NET any -> [186.2.168.150] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202319; rev:1;)
alert tcp $HOME_NET any -> [82.214.141.134] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202320; rev:1;)
alert tcp $HOME_NET any -> [178.209.40.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202321; rev:1;)
alert tcp $HOME_NET any -> [195.123.233.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202322; rev:1;)
alert tcp $HOME_NET any -> [86.105.18.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202323; rev:1;)
alert tcp $HOME_NET any -> [31.131.26.13] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202324; rev:1;)
alert tcp $HOME_NET any -> [91.243.81.13] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202325; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.226] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202326; rev:1;)
alert tcp $HOME_NET any -> [85.143.175.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202327; rev:1;)
alert tcp $HOME_NET any -> [81.227.0.215] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202328; rev:1;)
alert tcp $HOME_NET any -> [109.173.183.245] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202329; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.139] 2023 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202330; rev:1;)
alert tcp $HOME_NET any -> [109.234.35.3] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202331; rev:1;)
alert tcp $HOME_NET any -> [185.55.64.47] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202332; rev:1;)
alert tcp $HOME_NET any -> [82.202.226.62] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202333; rev:1;)
alert tcp $HOME_NET any -> [66.70.218.34] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202334; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.166] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202335; rev:1;)
alert tcp $HOME_NET any -> [192.251.231.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202336; rev:1;)
alert tcp $HOME_NET any -> [31.134.60.181] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202337; rev:1;)
alert tcp $HOME_NET any -> [31.172.177.90] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202338; rev:1;)
alert tcp $HOME_NET any -> [212.14.51.56] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202339; rev:1;)
alert tcp $HOME_NET any -> [185.180.196.109] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202340; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.75] 7768 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202341; rev:1;)
alert tcp $HOME_NET any -> [185.180.196.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202342; rev:1;)
alert tcp $HOME_NET any -> [65.40.207.151] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202343; rev:1;)
alert tcp $HOME_NET any -> [185.180.197.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202344; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.156] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202345; rev:1;)
alert tcp $HOME_NET any -> [217.63.197.185] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202346; rev:1;)
alert tcp $HOME_NET any -> [5.255.94.80] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202347; rev:1;)
alert tcp $HOME_NET any -> [91.243.80.131] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202348; rev:1;)
alert tcp $HOME_NET any -> [94.177.12.145] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202349; rev:1;)
alert tcp $HOME_NET any -> [138.128.5.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202350; rev:1;)
alert tcp $HOME_NET any -> [178.170.244.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202351; rev:1;)
alert tcp $HOME_NET any -> [46.21.249.49] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202352; rev:1;)
alert tcp $HOME_NET any -> [46.249.62.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202353; rev:1;)
alert tcp $HOME_NET any -> [185.246.65.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202354; rev:1;)
alert tcp $HOME_NET any -> [46.249.62.219] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202355; rev:1;)
alert tcp $HOME_NET any -> [5.63.158.236] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202356; rev:1;)
alert tcp $HOME_NET any -> [134.0.115.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202357; rev:1;)
alert tcp $HOME_NET any -> [45.77.61.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202358; rev:1;)
alert tcp $HOME_NET any -> [89.248.171.38] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202359; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.73] 2141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202360; rev:1;)
alert tcp $HOME_NET any -> [192.71.247.158] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202361; rev:1;)
alert tcp $HOME_NET any -> [199.247.7.16] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202362; rev:1;)
alert tcp $HOME_NET any -> [109.234.35.121] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202363; rev:1;)
alert tcp $HOME_NET any -> [37.220.31.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202364; rev:1;)
alert tcp $HOME_NET any -> [91.221.36.71] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202365; rev:1;)
alert tcp $HOME_NET any -> [185.228.233.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202366; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.106] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedId C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202367; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.148] 4001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202368; rev:1;)
alert tcp $HOME_NET any -> [91.243.80.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202369; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.36] 7575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202370; rev:1;)
alert tcp $HOME_NET any -> [185.212.149.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202371; rev:1;)
alert tcp $HOME_NET any -> [86.105.18.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202372; rev:1;)
alert tcp $HOME_NET any -> [185.68.93.41] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202373; rev:1;)
alert tcp $HOME_NET any -> [95.46.8.65] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202374; rev:1;)
alert tcp $HOME_NET any -> [181.175.124.212] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202375; rev:1;)
alert tcp $HOME_NET any -> [81.176.239.167] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202376; rev:1;)
alert tcp $HOME_NET any -> [89.35.228.199] 2067 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202377; rev:1;)
alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202378; rev:1;)
alert tcp $HOME_NET any -> [37.187.54.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202379; rev:1;)
alert tcp $HOME_NET any -> [81.169.128.232] 4743 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202380; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.45] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202381; rev:1;)
alert tcp $HOME_NET any -> [46.21.249.52] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202382; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.5] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202383; rev:1;)
alert tcp $HOME_NET any -> [194.87.235.92] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202384; rev:1;)
alert tcp $HOME_NET any -> [210.187.214.162] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202385; rev:1;)
alert tcp $HOME_NET any -> [31.171.155.33] 1215 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202386; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.36] 6774 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202387; rev:1;)
alert tcp $HOME_NET any -> [212.92.98.106] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202388; rev:1;)
alert tcp $HOME_NET any -> [176.223.111.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202389; rev:1;)
alert tcp $HOME_NET any -> [213.152.162.84] 56293 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202390; rev:1;)
alert tcp $HOME_NET any -> [185.48.239.33] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202391; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.49] 7741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202392; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.6] 2378 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202393; rev:1;)
alert tcp $HOME_NET any -> [5.133.179.117] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202394; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.33] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202395; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.33] 2060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202396; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.198] 7798 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202397; rev:1;)
alert tcp $HOME_NET any -> [45.113.70.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202398; rev:1;)
alert tcp $HOME_NET any -> [185.145.44.174] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202399; rev:1;)
alert tcp $HOME_NET any -> [5.187.49.225] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202400; rev:1;)
alert tcp $HOME_NET any -> [195.133.144.185] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202401; rev:1;)
alert tcp $HOME_NET any -> [194.87.234.173] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202402; rev:1;)
alert tcp $HOME_NET any -> [194.87.237.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202403; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.240] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202404; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.122] 7499 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202405; rev:1;)
alert tcp $HOME_NET any -> [206.255.220.53] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202406; rev:1;)
alert tcp $HOME_NET any -> [212.92.98.7] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202407; rev:1;)
alert tcp $HOME_NET any -> [212.14.51.56] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202408; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.81] 1810 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202409; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.25] 7799 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202410; rev:1;)
alert tcp $HOME_NET any -> [185.175.158.202] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202411; rev:1;)
alert tcp $HOME_NET any -> [185.211.247.31] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202412; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.218] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202413; rev:1;)
alert tcp $HOME_NET any -> [185.212.149.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202414; rev:1;)
alert tcp $HOME_NET any -> [92.114.92.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202415; rev:1;)
alert tcp $HOME_NET any -> [5.206.224.22] 443 (msg:"SSLBL: Traffic to malicious host (likely RevCodeRAT C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202416; rev:1;)
alert tcp $HOME_NET any -> [89.45.67.21] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202417; rev:1;)
alert tcp $HOME_NET any -> [173.212.248.207] 5051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202418; rev:1;)
alert tcp $HOME_NET any -> [178.33.108.70] 2050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202419; rev:1;)
alert tcp $HOME_NET any -> [194.87.239.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202420; rev:1;)
alert tcp $HOME_NET any -> [179.43.147.247] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202421; rev:1;)
alert tcp $HOME_NET any -> [185.24.232.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202422; rev:1;)
alert tcp $HOME_NET any -> [212.14.51.43] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202423; rev:1;)
alert tcp $HOME_NET any -> [78.155.219.55] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202424; rev:1;)
alert tcp $HOME_NET any -> [185.208.211.171] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202425; rev:1;)
alert tcp $HOME_NET any -> [185.189.112.157] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202426; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.200] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202427; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.94] 6692 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202428; rev:1;)
alert tcp $HOME_NET any -> [173.254.223.83] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202429; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.177] 3076 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202430; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.154] 1994 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202431; rev:1;)
alert tcp $HOME_NET any -> [69.64.251.41] 2565 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202432; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.8] 2103 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202433; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.44] 7075 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202434; rev:1;)
alert tcp $HOME_NET any -> [45.32.24.40] 3033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202435; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.69] 3940 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202436; rev:1;)
alert tcp $HOME_NET any -> [95.141.43.197] 2212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202437; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.186] 4455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202438; rev:1;)
alert tcp $HOME_NET any -> [103.68.223.149] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202439; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.33] 32266 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202440; rev:1;)
alert tcp $HOME_NET any -> [95.141.43.194] 3333 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202441; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.33] 7037 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202442; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.86] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202443; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.38] 2019 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202444; rev:1;)
alert tcp $HOME_NET any -> [84.38.135.148] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202445; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.146] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202446; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.35] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202447; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.28] 7119 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202448; rev:1;)
alert tcp $HOME_NET any -> [185.209.85.70] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202449; rev:1;)
alert tcp $HOME_NET any -> [84.200.84.224] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202450; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.54] 4781 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202451; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.209] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202452; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.5] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202453; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.37] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202454; rev:1;)
alert tcp $HOME_NET any -> [5.196.121.163] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202455; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.43] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202456; rev:1;)
alert tcp $HOME_NET any -> [95.213.204.124] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202457; rev:1;)
alert tcp $HOME_NET any -> [69.124.38.159] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202458; rev:1;)
alert tcp $HOME_NET any -> [185.45.192.185] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202459; rev:1;)
alert tcp $HOME_NET any -> [154.16.93.178] 5678 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202460; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.62] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202461; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.11] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202462; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.9] 2526 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202463; rev:1;)
alert tcp $HOME_NET any -> [185.163.45.48] 1992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202464; rev:1;)
alert tcp $HOME_NET any -> [137.74.157.92] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202465; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.8] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202466; rev:1;)
alert tcp $HOME_NET any -> [185.101.34.90] 1789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202467; rev:1;)
alert tcp $HOME_NET any -> [185.29.8.119] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202468; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.28] 2222 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202469; rev:1;)
alert tcp $HOME_NET any -> [195.133.1.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202470; rev:1;)
alert tcp $HOME_NET any -> [185.24.232.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202471; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.38] 10101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202472; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.231] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202473; rev:1;)
alert tcp $HOME_NET any -> [62.102.148.156] 64271 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202474; rev:1;)
alert tcp $HOME_NET any -> [89.35.228.196] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202475; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.52] 7110 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202476; rev:1;)
alert tcp $HOME_NET any -> [67.215.9.226] 5680 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202477; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.34] 3366 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202478; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.97] 3917 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202479; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.43] 1991 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202480; rev:1;)
alert tcp $HOME_NET any -> [109.234.36.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202481; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.186] 8181 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202482; rev:1;)
alert tcp $HOME_NET any -> [195.133.144.162] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202483; rev:1;)
alert tcp $HOME_NET any -> [92.53.77.125] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202484; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.178] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202485; rev:1;)
alert tcp $HOME_NET any -> [176.10.100.155] 6789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202486; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.52] 70 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202487; rev:1;)
alert tcp $HOME_NET any -> [219.92.131.188] 3255 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202488; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.2] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202489; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.29] 53826 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202490; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.53] 6643 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202491; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.191] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202492; rev:1;)
alert tcp $HOME_NET any -> [191.101.27.3] 4933 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202493; rev:1;)
alert tcp $HOME_NET any -> [144.217.20.62] 2525 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202494; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.26] 8102 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202495; rev:1;)
alert tcp $HOME_NET any -> [60.50.229.87] 9349 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202496; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.167] 4343 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202497; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.175] 7039 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202498; rev:1;)
alert tcp $HOME_NET any -> [176.10.100.157] 3020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202499; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.36] 1956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202500; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.81] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202501; rev:1;)
alert tcp $HOME_NET any -> [86.105.1.116] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202502; rev:1;)
alert tcp $HOME_NET any -> [216.38.7.248] 1212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202503; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.19] 4101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202504; rev:1;)
alert tcp $HOME_NET any -> [92.53.78.158] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202505; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.20] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202506; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.139] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202507; rev:1;)
alert tcp $HOME_NET any -> [185.62.188.94] 49575 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202508; rev:1;)
alert tcp $HOME_NET any -> [185.236.130.122] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202509; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.27] 6042 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202510; rev:1;)
alert tcp $HOME_NET any -> [185.236.130.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202511; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.203] 100 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202512; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.10] 5534 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202513; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.159] 1002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202514; rev:1;)
alert tcp $HOME_NET any -> [213.152.162.165] 34071 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202515; rev:1;)
alert tcp $HOME_NET any -> [94.242.57.57] 443 (msg:"SSLBL: Traffic to malicious host (likely Cobalt C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202516; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.199] 3422 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202517; rev:1;)
alert tcp $HOME_NET any -> [85.214.62.153] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202518; rev:1;)
alert tcp $HOME_NET any -> [205.178.144.133] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202519; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.115] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202520; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.36] 6466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202521; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.132] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202522; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.72] 2555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202523; rev:1;)
alert tcp $HOME_NET any -> [185.236.130.123] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202524; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.36] 3939 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202525; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.226] 7383 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202526; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.6] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202527; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.126] 4201 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202528; rev:1;)
alert tcp $HOME_NET any -> [185.186.244.86] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202529; rev:1;)
alert tcp $HOME_NET any -> [154.16.93.177] 3465 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202530; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.139] 18993 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202531; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.200] 1722 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202532; rev:1;)
alert tcp $HOME_NET any -> [66.189.228.49] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202533; rev:1;)
alert tcp $HOME_NET any -> [78.155.218.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202534; rev:1;)
alert tcp $HOME_NET any -> [149.255.36.229] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202535; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.45] 6890 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202536; rev:1;)
alert tcp $HOME_NET any -> [45.77.82.205] 2002 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202537; rev:1;)
alert tcp $HOME_NET any -> [95.213.194.9] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202538; rev:1;)
alert tcp $HOME_NET any -> [94.103.82.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202539; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.34] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202540; rev:1;)
alert tcp $HOME_NET any -> [185.56.90.79] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202541; rev:1;)
alert tcp $HOME_NET any -> [216.38.7.252] 8585 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202542; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.192] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202543; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.24] 4914 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202544; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.99] 2258 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202545; rev:1;)
alert tcp $HOME_NET any -> [91.192.100.60] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202546; rev:1;)
alert tcp $HOME_NET any -> [194.87.95.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202547; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.165] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202548; rev:1;)
alert tcp $HOME_NET any -> [94.250.252.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202549; rev:1;)
alert tcp $HOME_NET any -> [62.109.27.157] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202550; rev:1;)
alert tcp $HOME_NET any -> [37.230.115.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202551; rev:1;)
alert tcp $HOME_NET any -> [185.228.232.87] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202552; rev:1;)
alert tcp $HOME_NET any -> [77.244.215.158] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202553; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.214] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202554; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.162] 5543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202555; rev:1;)
alert tcp $HOME_NET any -> [137.74.157.90] 2020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202556; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.33] 7321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202557; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.242] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202558; rev:1;)
alert tcp $HOME_NET any -> [46.21.248.108] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202559; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.10] 5531 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202560; rev:1;)
alert tcp $HOME_NET any -> [107.155.72.119] 1602 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202561; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.49] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202562; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.176] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202563; rev:1;)
alert tcp $HOME_NET any -> [212.7.208.71] 1979 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202564; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.31] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202565; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.174] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202566; rev:1;)
alert tcp $HOME_NET any -> [109.234.34.110] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202567; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.27] 11339 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202568; rev:1;)
alert tcp $HOME_NET any -> [185.158.114.129] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202569; rev:1;)
alert tcp $HOME_NET any -> [172.104.10.121] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202570; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.123] 2018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202571; rev:1;)
alert tcp $HOME_NET any -> [194.87.93.225] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202572; rev:1;)
alert tcp $HOME_NET any -> [46.19.137.137] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202573; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.212] 2000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202574; rev:1;)
alert tcp $HOME_NET any -> [194.87.92.147] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202575; rev:1;)
alert tcp $HOME_NET any -> [109.234.36.181] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202576; rev:1;)
alert tcp $HOME_NET any -> [191.96.15.135] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202577; rev:1;)
alert tcp $HOME_NET any -> [94.103.80.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202578; rev:1;)
alert tcp $HOME_NET any -> [95.213.237.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202579; rev:1;)
alert tcp $HOME_NET any -> [212.7.218.56] 9480 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202580; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.124] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202581; rev:1;)
alert tcp $HOME_NET any -> [62.109.25.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202582; rev:1;)
alert tcp $HOME_NET any -> [37.230.114.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202583; rev:1;)
alert tcp $HOME_NET any -> [78.155.218.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202584; rev:1;)
alert tcp $HOME_NET any -> [92.63.106.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202585; rev:1;)
alert tcp $HOME_NET any -> [78.24.218.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202586; rev:1;)
alert tcp $HOME_NET any -> [95.154.199.237] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202587; rev:1;)
alert tcp $HOME_NET any -> [82.146.57.127] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202588; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.34] 2012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202589; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.34] 9125 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202590; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.26] 5011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202591; rev:1;)
alert tcp $HOME_NET any -> [62.109.26.251] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202592; rev:1;)
alert tcp $HOME_NET any -> [109.234.37.132] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202593; rev:1;)
alert tcp $HOME_NET any -> [95.213.195.169] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202594; rev:1;)
alert tcp $HOME_NET any -> [194.87.145.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202595; rev:1;)
alert tcp $HOME_NET any -> [184.155.19.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202596; rev:1;)
alert tcp $HOME_NET any -> [73.76.201.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202597; rev:1;)
alert tcp $HOME_NET any -> [131.108.170.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202598; rev:1;)
alert tcp $HOME_NET any -> [93.113.45.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202599; rev:1;)
alert tcp $HOME_NET any -> [37.230.115.129] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202600; rev:1;)
alert tcp $HOME_NET any -> [185.234.15.7] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202601; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.3] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202602; rev:1;)
alert tcp $HOME_NET any -> [193.124.117.229] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202603; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.141] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202604; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.7] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202605; rev:1;)
alert tcp $HOME_NET any -> [178.159.36.92] 443 (msg:"SSLBL: Traffic to malicious host (likely LockPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202606; rev:1;)
alert tcp $HOME_NET any -> [89.36.214.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202607; rev:1;)
alert tcp $HOME_NET any -> [203.24.188.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202608; rev:1;)
alert tcp $HOME_NET any -> [94.177.229.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.AuotIT.ZLIB C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202609; rev:1;)
alert tcp $HOME_NET any -> [176.31.46.70] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202610; rev:1;)
alert tcp $HOME_NET any -> [185.106.120.201] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202611; rev:1;)
alert tcp $HOME_NET any -> [66.222.48.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202612; rev:1;)
alert tcp $HOME_NET any -> [86.27.41.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202613; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.136] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202614; rev:1;)
alert tcp $HOME_NET any -> [46.30.45.208] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202615; rev:1;)
alert tcp $HOME_NET any -> [98.191.134.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202616; rev:1;)
alert tcp $HOME_NET any -> [92.53.91.109] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202617; rev:1;)
alert tcp $HOME_NET any -> [194.87.238.84] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202618; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202619; rev:1;)
alert tcp $HOME_NET any -> [89.18.27.155] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202620; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.187] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202621; rev:1;)
alert tcp $HOME_NET any -> [145.239.21.254] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202622; rev:1;)
alert tcp $HOME_NET any -> [185.101.34.84] 2675 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202623; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.201] 22777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202624; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.141] 1501 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202625; rev:1;)
alert tcp $HOME_NET any -> [185.227.83.56] 3052 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202626; rev:1;)
alert tcp $HOME_NET any -> [85.204.49.128] 6088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202627; rev:1;)
alert tcp $HOME_NET any -> [151.106.2.127] 7050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202628; rev:1;)
alert tcp $HOME_NET any -> [195.133.201.94] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202629; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.192] 6796 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202630; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.3] 5097 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202631; rev:1;)
alert tcp $HOME_NET any -> [104.236.172.37] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202632; rev:1;)
alert tcp $HOME_NET any -> [45.58.49.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202633; rev:1;)
alert tcp $HOME_NET any -> [95.46.114.118] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202634; rev:1;)
alert tcp $HOME_NET any -> [185.82.217.96] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202635; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.150] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202636; rev:1;)
alert tcp $HOME_NET any -> [46.8.158.34] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202637; rev:1;)
alert tcp $HOME_NET any -> [93.170.123.151] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202638; rev:1;)
alert tcp $HOME_NET any -> [95.46.98.93] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202639; rev:1;)
alert tcp $HOME_NET any -> [162.248.246.229] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202640; rev:1;)
alert tcp $HOME_NET any -> [107.170.231.118] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202641; rev:1;)
alert tcp $HOME_NET any -> [94.242.58.113] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202642; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.101] 1020 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202643; rev:1;)
alert tcp $HOME_NET any -> [192.254.173.150] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202644; rev:1;)
alert tcp $HOME_NET any -> [27.102.107.180] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202645; rev:1;)
alert tcp $HOME_NET any -> [185.161.210.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202646; rev:1;)
alert tcp $HOME_NET any -> [92.53.66.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202647; rev:1;)
alert tcp $HOME_NET any -> [94.75.240.80] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202648; rev:1;)
alert tcp $HOME_NET any -> [188.120.243.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202649; rev:1;)
alert tcp $HOME_NET any -> [94.250.253.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202650; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202651; rev:1;)
alert tcp $HOME_NET any -> [82.146.48.241] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202652; rev:1;)
alert tcp $HOME_NET any -> [193.124.117.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202653; rev:1;)
alert tcp $HOME_NET any -> [176.56.237.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202654; rev:1;)
alert tcp $HOME_NET any -> [200.111.97.235] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202655; rev:1;)
alert tcp $HOME_NET any -> [195.2.253.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202656; rev:1;)
alert tcp $HOME_NET any -> [94.250.255.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202657; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.163] 3348 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202658; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.56] 1997 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202659; rev:1;)
alert tcp $HOME_NET any -> [185.224.133.57] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202660; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.2] 1990 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202661; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.4] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202662; rev:1;)
alert tcp $HOME_NET any -> [46.8.158.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202663; rev:1;)
alert tcp $HOME_NET any -> [212.7.208.82] 6060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202664; rev:1;)
alert tcp $HOME_NET any -> [67.209.219.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202665; rev:1;)
alert tcp $HOME_NET any -> [179.43.147.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202666; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.32] 2323 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202667; rev:1;)
alert tcp $HOME_NET any -> [109.120.155.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202668; rev:1;)
alert tcp $HOME_NET any -> [178.33.182.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202669; rev:1;)
alert tcp $HOME_NET any -> [86.105.1.122] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202670; rev:1;)
alert tcp $HOME_NET any -> [185.198.58.164] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202671; rev:1;)
alert tcp $HOME_NET any -> [185.186.140.192] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202672; rev:1;)
alert tcp $HOME_NET any -> [95.213.204.105] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202673; rev:1;)
alert tcp $HOME_NET any -> [5.200.55.47] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202674; rev:1;)
alert tcp $HOME_NET any -> [138.197.255.18] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202675; rev:1;)
alert tcp $HOME_NET any -> [173.212.227.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202676; rev:1;)
alert tcp $HOME_NET any -> [62.109.16.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202677; rev:1;)
alert tcp $HOME_NET any -> [185.80.130.32] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202678; rev:1;)
alert tcp $HOME_NET any -> [185.159.130.63] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202679; rev:1;)
alert tcp $HOME_NET any -> [62.109.26.193] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202680; rev:1;)
alert tcp $HOME_NET any -> [27.102.66.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202681; rev:1;)
alert tcp $HOME_NET any -> [5.133.11.56] 1840 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202682; rev:1;)
alert tcp $HOME_NET any -> [185.200.117.131] 3567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202683; rev:1;)
alert tcp $HOME_NET any -> [185.22.173.239] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202684; rev:1;)
alert tcp $HOME_NET any -> [185.92.239.13] 9000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202685; rev:1;)
alert tcp $HOME_NET any -> [95.154.199.98] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202686; rev:1;)
alert tcp $HOME_NET any -> [78.24.223.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202687; rev:1;)
alert tcp $HOME_NET any -> [92.53.66.115] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202688; rev:1;)
alert tcp $HOME_NET any -> [185.34.52.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202689; rev:1;)
alert tcp $HOME_NET any -> [95.213.235.211] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202690; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.56] 2644 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202691; rev:1;)
alert tcp $HOME_NET any -> [91.92.136.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202692; rev:1;)
alert tcp $HOME_NET any -> [213.208.152.206] 2889 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202693; rev:1;)
alert tcp $HOME_NET any -> [27.102.107.50] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202694; rev:1;)
alert tcp $HOME_NET any -> [185.164.34.18] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202695; rev:1;)
alert tcp $HOME_NET any -> [185.133.42.243] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202696; rev:1;)
alert tcp $HOME_NET any -> [94.177.12.239] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202697; rev:1;)
alert tcp $HOME_NET any -> [194.87.102.69] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202698; rev:1;)
alert tcp $HOME_NET any -> [92.53.78.220] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202699; rev:1;)
alert tcp $HOME_NET any -> [85.217.170.217] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202700; rev:1;)
alert tcp $HOME_NET any -> [137.74.150.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202701; rev:1;)
alert tcp $HOME_NET any -> [5.39.47.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202702; rev:1;)
alert tcp $HOME_NET any -> [185.22.173.238] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202703; rev:1;)
alert tcp $HOME_NET any -> [185.171.25.13] 6447 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202704; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.23] 2051 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202705; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.212] 9572 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202706; rev:1;)
alert tcp $HOME_NET any -> [86.105.227.136] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202707; rev:1;)
alert tcp $HOME_NET any -> [213.183.40.10] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202708; rev:1;)
alert tcp $HOME_NET any -> [23.254.202.203] 2688 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202709; rev:1;)
alert tcp $HOME_NET any -> [185.175.158.213] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202710; rev:1;)
alert tcp $HOME_NET any -> [31.41.46.196] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202711; rev:1;)
alert tcp $HOME_NET any -> [91.92.128.45] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202712; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.87] 1759 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202713; rev:1;)
alert tcp $HOME_NET any -> [213.152.161.239] 10752 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202714; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.45] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202715; rev:1;)
alert tcp $HOME_NET any -> [185.228.232.68] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202716; rev:1;)
alert tcp $HOME_NET any -> [5.133.11.63] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202717; rev:1;)
alert tcp $HOME_NET any -> [194.87.102.252] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202718; rev:1;)
alert tcp $HOME_NET any -> [184.75.209.163] 5434 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202719; rev:1;)
alert tcp $HOME_NET any -> [212.38.166.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202720; rev:1;)
alert tcp $HOME_NET any -> [194.87.111.134] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202721; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.195] 8877 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202722; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.51] 4141 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202723; rev:1;)
alert tcp $HOME_NET any -> [104.200.67.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202724; rev:1;)
alert tcp $HOME_NET any -> [66.146.66.27] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202725; rev:1;)
alert tcp $HOME_NET any -> [154.16.63.19] 6045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202726; rev:1;)
alert tcp $HOME_NET any -> [172.75.241.225] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202727; rev:1;)
alert tcp $HOME_NET any -> [94.177.12.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202728; rev:1;)
alert tcp $HOME_NET any -> [95.150.72.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202729; rev:1;)
alert tcp $HOME_NET any -> [164.177.159.22] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202730; rev:1;)
alert tcp $HOME_NET any -> [128.199.244.136] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202731; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.71] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202732; rev:1;)
alert tcp $HOME_NET any -> [94.250.254.104] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202733; rev:1;)
alert tcp $HOME_NET any -> [37.230.113.231] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202734; rev:1;)
alert tcp $HOME_NET any -> [208.69.58.252] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202735; rev:1;)
alert tcp $HOME_NET any -> [27.102.67.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202736; rev:1;)
alert tcp $HOME_NET any -> [194.87.238.194] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202737; rev:1;)
alert tcp $HOME_NET any -> [195.133.197.115] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202738; rev:1;)
alert tcp $HOME_NET any -> [95.213.236.81] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202739; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.200] 1987 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202740; rev:1;)
alert tcp $HOME_NET any -> [212.7.218.59] 8741 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202741; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.196] 1313 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202742; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.86] 9555 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202743; rev:1;)
alert tcp $HOME_NET any -> [185.34.52.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202744; rev:1;)
alert tcp $HOME_NET any -> [45.63.77.42] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202745; rev:1;)
alert tcp $HOME_NET any -> [83.0.245.234] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202746; rev:1;)
alert tcp $HOME_NET any -> [89.37.226.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202747; rev:1;)
alert tcp $HOME_NET any -> [60.190.27.162] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202748; rev:1;)
alert tcp $HOME_NET any -> [91.92.128.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202749; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.24] 1895 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202750; rev:1;)
alert tcp $HOME_NET any -> [46.249.62.244] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202751; rev:1;)
alert tcp $HOME_NET any -> [185.164.34.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202752; rev:1;)
alert tcp $HOME_NET any -> [187.188.162.150] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202753; rev:1;)
alert tcp $HOME_NET any -> [162.255.117.34] 800 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202754; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.197] 1888 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202755; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.237] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202756; rev:1;)
alert tcp $HOME_NET any -> [194.87.145.199] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202757; rev:1;)
alert tcp $HOME_NET any -> [95.213.252.209] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202758; rev:1;)
alert tcp $HOME_NET any -> [109.120.152.175] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202759; rev:1;)
alert tcp $HOME_NET any -> [27.102.106.140] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202760; rev:1;)
alert tcp $HOME_NET any -> [204.152.219.98] 9988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202761; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.43] 1011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202762; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.129] 1234 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202763; rev:1;)
alert tcp $HOME_NET any -> [179.43.147.235] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202764; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.173] 6767 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202765; rev:1;)
alert tcp $HOME_NET any -> [185.80.130.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202766; rev:1;)
alert tcp $HOME_NET any -> [107.170.65.224] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202767; rev:1;)
alert tcp $HOME_NET any -> [79.106.41.23] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202768; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.78] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202769; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.11] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202770; rev:1;)
alert tcp $HOME_NET any -> [86.105.227.152] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202771; rev:1;)
alert tcp $HOME_NET any -> [185.28.63.109] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202772; rev:1;)
alert tcp $HOME_NET any -> [92.63.105.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202773; rev:1;)
alert tcp $HOME_NET any -> [46.28.204.81] 443 (msg:"SSLBL: Traffic to malicious host (likely QuantLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202774; rev:1;)
alert tcp $HOME_NET any -> [194.87.102.119] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202775; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.5] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202776; rev:1;)
alert tcp $HOME_NET any -> [95.213.195.174] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202777; rev:1;)
alert tcp $HOME_NET any -> [89.45.67.104] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202778; rev:1;)
alert tcp $HOME_NET any -> [92.53.66.73] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202779; rev:1;)
alert tcp $HOME_NET any -> [95.213.194.244] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202780; rev:1;)
alert tcp $HOME_NET any -> [149.154.71.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202781; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.226] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202782; rev:1;)
alert tcp $HOME_NET any -> [185.82.200.224] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202783; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.172] 4242 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202784; rev:1;)
alert tcp $HOME_NET any -> [78.155.206.233] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202785; rev:1;)
alert tcp $HOME_NET any -> [185.213.209.194] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202786; rev:1;)
alert tcp $HOME_NET any -> [91.134.203.113] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202787; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202788; rev:1;)
alert tcp $HOME_NET any -> [154.16.63.167] 7878 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202789; rev:1;)
alert tcp $HOME_NET any -> [104.131.89.74] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202790; rev:1;)
alert tcp $HOME_NET any -> [89.171.146.30] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202791; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.180] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202792; rev:1;)
alert tcp $HOME_NET any -> [95.213.252.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202793; rev:1;)
alert tcp $HOME_NET any -> [185.106.120.167] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202794; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.122] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202795; rev:1;)
alert tcp $HOME_NET any -> [187.191.0.42] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202796; rev:1;)
alert tcp $HOME_NET any -> [156.17.92.161] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202797; rev:1;)
alert tcp $HOME_NET any -> [5.200.35.40] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202798; rev:1;)
alert tcp $HOME_NET any -> [145.249.105.20] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202799; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.117] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202800; rev:1;)
alert tcp $HOME_NET any -> [78.24.217.88] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202801; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.168] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202802; rev:1;)
alert tcp $HOME_NET any -> [95.213.251.95] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202803; rev:1;)
alert tcp $HOME_NET any -> [104.236.49.165] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202804; rev:1;)
alert tcp $HOME_NET any -> [46.22.211.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202805; rev:1;)
alert tcp $HOME_NET any -> [164.132.28.118] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202806; rev:1;)
alert tcp $HOME_NET any -> [194.87.239.104] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202807; rev:1;)
alert tcp $HOME_NET any -> [181.211.34.154] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202808; rev:1;)
alert tcp $HOME_NET any -> [89.45.67.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202809; rev:1;)
alert tcp $HOME_NET any -> [37.230.112.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202810; rev:1;)
alert tcp $HOME_NET any -> [80.188.120.11] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202811; rev:1;)
alert tcp $HOME_NET any -> [194.87.234.254] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202812; rev:1;)
alert tcp $HOME_NET any -> [212.38.166.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202813; rev:1;)
alert tcp $HOME_NET any -> [77.244.215.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202814; rev:1;)
alert tcp $HOME_NET any -> [188.120.249.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202815; rev:1;)
alert tcp $HOME_NET any -> [185.117.73.235] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202816; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.172] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202817; rev:1;)
alert tcp $HOME_NET any -> [62.109.9.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202818; rev:1;)
alert tcp $HOME_NET any -> [149.154.69.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202819; rev:1;)
alert tcp $HOME_NET any -> [188.120.248.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202820; rev:1;)
alert tcp $HOME_NET any -> [93.95.97.138] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202821; rev:1;)
alert tcp $HOME_NET any -> [185.77.128.166] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202822; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.123] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202823; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202824; rev:1;)
alert tcp $HOME_NET any -> [79.119.121.185] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202825; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.154] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202826; rev:1;)
alert tcp $HOME_NET any -> [185.183.96.165] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202827; rev:1;)
alert tcp $HOME_NET any -> [119.28.153.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202828; rev:1;)
alert tcp $HOME_NET any -> [80.87.198.198] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202829; rev:1;)
alert tcp $HOME_NET any -> [193.124.117.39] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202830; rev:1;)
alert tcp $HOME_NET any -> [86.105.227.137] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202831; rev:1;)
alert tcp $HOME_NET any -> [79.170.7.139] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202832; rev:1;)
alert tcp $HOME_NET any -> [37.60.177.199] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202833; rev:1;)
alert tcp $HOME_NET any -> [109.230.199.19] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202834; rev:1;)
alert tcp $HOME_NET any -> [107.161.160.30] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202835; rev:1;)
alert tcp $HOME_NET any -> [188.120.231.188] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202836; rev:1;)
alert tcp $HOME_NET any -> [188.137.86.7] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202837; rev:1;)
alert tcp $HOME_NET any -> [37.220.31.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202838; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.111] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202839; rev:1;)
alert tcp $HOME_NET any -> [62.102.148.166] 4414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202840; rev:1;)
alert tcp $HOME_NET any -> [185.82.217.224] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202841; rev:1;)
alert tcp $HOME_NET any -> [169.239.129.47] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202842; rev:1;)
alert tcp $HOME_NET any -> [185.82.216.187] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202843; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.112] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202844; rev:1;)
alert tcp $HOME_NET any -> [196.202.194.202] 451 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202845; rev:1;)
alert tcp $HOME_NET any -> [70.184.5.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202846; rev:1;)
alert tcp $HOME_NET any -> [94.177.12.245] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202847; rev:1;)
alert tcp $HOME_NET any -> [185.82.218.28] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202848; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.83] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202849; rev:1;)
alert tcp $HOME_NET any -> [74.202.242.28] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202850; rev:1;)
alert tcp $HOME_NET any -> [194.87.232.219] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202851; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.184] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202852; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.173] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202853; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.162] 2018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202854; rev:1;)
alert tcp $HOME_NET any -> [194.87.93.172] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202855; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.165] 1010 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202856; rev:1;)
alert tcp $HOME_NET any -> [82.146.59.247] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202857; rev:1;)
alert tcp $HOME_NET any -> [82.146.45.93] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202858; rev:1;)
alert tcp $HOME_NET any -> [5.196.54.0] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202859; rev:1;)
alert tcp $HOME_NET any -> [185.159.131.127] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202860; rev:1;)
alert tcp $HOME_NET any -> [104.140.247.125] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202861; rev:1;)
alert tcp $HOME_NET any -> [185.117.73.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202862; rev:1;)
alert tcp $HOME_NET any -> [82.146.56.32] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202863; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.240] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202864; rev:1;)
alert tcp $HOME_NET any -> [92.63.102.221] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202865; rev:1;)
alert tcp $HOME_NET any -> [194.87.103.74] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202866; rev:1;)
alert tcp $HOME_NET any -> [49.51.134.93] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202867; rev:1;)
alert tcp $HOME_NET any -> [185.158.113.194] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202868; rev:1;)
alert tcp $HOME_NET any -> [194.87.102.14] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202869; rev:1;)
alert tcp $HOME_NET any -> [185.82.218.26] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202870; rev:1;)
alert tcp $HOME_NET any -> [82.146.40.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202871; rev:1;)
alert tcp $HOME_NET any -> [85.221.243.6] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202872; rev:1;)
alert tcp $HOME_NET any -> [82.146.47.127] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202873; rev:1;)
alert tcp $HOME_NET any -> [92.63.102.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202874; rev:1;)
alert tcp $HOME_NET any -> [185.158.152.225] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202875; rev:1;)
alert tcp $HOME_NET any -> [66.222.49.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202876; rev:1;)
alert tcp $HOME_NET any -> [107.170.101.158] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202877; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.134] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202878; rev:1;)
alert tcp $HOME_NET any -> [216.126.58.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202879; rev:1;)
alert tcp $HOME_NET any -> [86.105.1.102] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202880; rev:1;)
alert tcp $HOME_NET any -> [194.87.92.191] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202881; rev:1;)
alert tcp $HOME_NET any -> [195.133.196.130] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202882; rev:1;)
alert tcp $HOME_NET any -> [195.133.49.17] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202883; rev:1;)
alert tcp $HOME_NET any -> [49.51.35.119] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202884; rev:1;)
alert tcp $HOME_NET any -> [185.158.153.134] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202885; rev:1;)
alert tcp $HOME_NET any -> [194.87.239.200] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202886; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.59] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202887; rev:1;)
alert tcp $HOME_NET any -> [46.237.117.193] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202888; rev:1;)
alert tcp $HOME_NET any -> [67.139.169.66] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202889; rev:1;)
alert tcp $HOME_NET any -> [132.206.59.132] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202890; rev:1;)
alert tcp $HOME_NET any -> [76.179.72.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202891; rev:1;)
alert tcp $HOME_NET any -> [96.246.147.237] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202892; rev:1;)
alert tcp $HOME_NET any -> [189.244.44.128] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202893; rev:1;)
alert tcp $HOME_NET any -> [108.35.21.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202894; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.79] 4820 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202895; rev:1;)
alert tcp $HOME_NET any -> [5.2.76.91] 6868 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202896; rev:1;)
alert tcp $HOME_NET any -> [87.106.219.40] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202897; rev:1;)
alert tcp $HOME_NET any -> [172.112.229.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202898; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.197] 3487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202899; rev:1;)
alert tcp $HOME_NET any -> [64.132.75.142] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202900; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.57] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202901; rev:1;)
alert tcp $HOME_NET any -> [49.51.38.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202902; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.26] 9090 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202903; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.133] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202904; rev:1;)
alert tcp $HOME_NET any -> [185.127.26.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202905; rev:1;)
alert tcp $HOME_NET any -> [5.200.35.63] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202906; rev:1;)
alert tcp $HOME_NET any -> [162.243.137.50] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202907; rev:1;)
alert tcp $HOME_NET any -> [173.203.123.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202908; rev:1;)
alert tcp $HOME_NET any -> [204.152.219.72] 7878 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202909; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.239] 7790 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202910; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202911; rev:1;)
alert tcp $HOME_NET any -> [31.171.155.60] 5588 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202912; rev:1;)
alert tcp $HOME_NET any -> [194.87.99.234] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202913; rev:1;)
alert tcp $HOME_NET any -> [95.167.151.233] 4045 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202914; rev:1;)
alert tcp $HOME_NET any -> [197.85.185.132] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202915; rev:1;)
alert tcp $HOME_NET any -> [95.167.151.234] 9212 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202916; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.230] 1566 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202917; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.151] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202918; rev:1;)
alert tcp $HOME_NET any -> [89.35.228.243] 4780 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202919; rev:1;)
alert tcp $HOME_NET any -> [91.233.116.104] 7728 (msg:"SSLBL: Traffic to malicious host (likely JBifrost C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202920; rev:1;)
alert tcp $HOME_NET any -> [154.16.63.221] 9909 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202921; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.35] 4101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202922; rev:1;)
alert tcp $HOME_NET any -> [82.146.40.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202923; rev:1;)
alert tcp $HOME_NET any -> [185.112.82.64] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202924; rev:1;)
alert tcp $HOME_NET any -> [92.207.100.244] 4843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202925; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.85] 7177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202926; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.213] 6790 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202927; rev:1;)
alert tcp $HOME_NET any -> [193.218.145.101] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202928; rev:1;)
alert tcp $HOME_NET any -> [185.117.72.98] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202929; rev:1;)
alert tcp $HOME_NET any -> [49.51.135.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202930; rev:1;)
alert tcp $HOME_NET any -> [5.45.86.128] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202931; rev:1;)
alert tcp $HOME_NET any -> [194.87.111.83] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202932; rev:1;)
alert tcp $HOME_NET any -> [185.158.115.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202933; rev:1;)
alert tcp $HOME_NET any -> [194.87.98.234] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202934; rev:1;)
alert tcp $HOME_NET any -> [94.75.77.162] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202935; rev:1;)
alert tcp $HOME_NET any -> [49.51.133.206] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202936; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.20] 8787 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202937; rev:1;)
alert tcp $HOME_NET any -> [45.77.97.99] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202938; rev:1;)
alert tcp $HOME_NET any -> [47.74.154.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202939; rev:1;)
alert tcp $HOME_NET any -> [195.133.146.156] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202940; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.181] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202941; rev:1;)
alert tcp $HOME_NET any -> [5.45.83.115] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202942; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.223] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202943; rev:1;)
alert tcp $HOME_NET any -> [194.87.110.49] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202944; rev:1;)
alert tcp $HOME_NET any -> [54.208.118.55] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202945; rev:1;)
alert tcp $HOME_NET any -> [34.229.150.157] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202946; rev:1;)
alert tcp $HOME_NET any -> [185.141.25.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202947; rev:1;)
alert tcp $HOME_NET any -> [103.25.58.168] 5676 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202948; rev:1;)
alert tcp $HOME_NET any -> [107.189.162.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202949; rev:1;)
alert tcp $HOME_NET any -> [195.133.147.228] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202950; rev:1;)
alert tcp $HOME_NET any -> [89.231.13.38] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202951; rev:1;)
alert tcp $HOME_NET any -> [188.137.122.40] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202952; rev:1;)
alert tcp $HOME_NET any -> [188.137.122.68] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202953; rev:1;)
alert tcp $HOME_NET any -> [185.158.115.57] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202954; rev:1;)
alert tcp $HOME_NET any -> [195.133.144.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202955; rev:1;)
alert tcp $HOME_NET any -> [73.166.89.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202956; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.31] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202957; rev:1;)
alert tcp $HOME_NET any -> [18.220.233.103] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202958; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.228] 4147 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202959; rev:1;)
alert tcp $HOME_NET any -> [47.89.254.87] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202960; rev:1;)
alert tcp $HOME_NET any -> [52.90.250.177] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202961; rev:1;)
alert tcp $HOME_NET any -> [195.133.145.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202962; rev:1;)
alert tcp $HOME_NET any -> [190.1.231.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202963; rev:1;)
alert tcp $HOME_NET any -> [185.94.191.82] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202964; rev:1;)
alert tcp $HOME_NET any -> [188.137.122.5] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202965; rev:1;)
alert tcp $HOME_NET any -> [45.32.70.144] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202966; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.16] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202967; rev:1;)
alert tcp $HOME_NET any -> [194.87.99.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202968; rev:1;)
alert tcp $HOME_NET any -> [185.86.150.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202969; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.198] 5030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202970; rev:1;)
alert tcp $HOME_NET any -> [18.221.102.212] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202971; rev:1;)
alert tcp $HOME_NET any -> [91.83.88.51] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202972; rev:1;)
alert tcp $HOME_NET any -> [47.89.253.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Zloader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202973; rev:1;)
alert tcp $HOME_NET any -> [91.211.246.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202974; rev:1;)
alert tcp $HOME_NET any -> [155.94.238.28] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202975; rev:1;)
alert tcp $HOME_NET any -> [194.87.93.97] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202976; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.219] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202977; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.46] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202978; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Smoke Loader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202979; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202980; rev:1;)
alert tcp $HOME_NET any -> [74.208.167.95] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202981; rev:1;)
alert tcp $HOME_NET any -> [87.106.15.52] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202982; rev:1;)
alert tcp $HOME_NET any -> [103.208.86.215] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202983; rev:1;)
alert tcp $HOME_NET any -> [178.156.202.159] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202984; rev:1;)
alert tcp $HOME_NET any -> [5.133.179.13] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202985; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.230] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202986; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.144] 1818 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202987; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.45] 5657 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202988; rev:1;)
alert tcp $HOME_NET any -> [195.133.48.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202989; rev:1;)
alert tcp $HOME_NET any -> [194.87.99.62] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202990; rev:1;)
alert tcp $HOME_NET any -> [185.82.200.159] 443 (msg:"SSLBL: Traffic to malicious host (likely ZLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202991; rev:1;)
alert tcp $HOME_NET any -> [184.155.19.94] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202992; rev:1;)
alert tcp $HOME_NET any -> [216.107.149.57] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202993; rev:1;)
alert tcp $HOME_NET any -> [47.74.150.46] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202994; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.44] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202995; rev:1;)
alert tcp $HOME_NET any -> [185.203.118.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202996; rev:1;)
alert tcp $HOME_NET any -> [185.82.217.212] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202997; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.26] 1677 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202998; rev:1;)
alert tcp $HOME_NET any -> [107.173.168.160] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905202999; rev:1;)
alert tcp $HOME_NET any -> [24.182.236.58] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203000; rev:1;)
alert tcp $HOME_NET any -> [216.187.170.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203001; rev:1;)
alert tcp $HOME_NET any -> [66.85.27.170] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203002; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.167] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203003; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.167] 88 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203004; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.192] 6463 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203005; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.7] 1988 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203006; rev:1;)
alert tcp $HOME_NET any -> [173.254.223.88] 1592 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203007; rev:1;)
alert tcp $HOME_NET any -> [194.87.102.36] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203008; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.168] 1759 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203009; rev:1;)
alert tcp $HOME_NET any -> [188.165.62.8] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203010; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.156] 4050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203011; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.223] 6666 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203012; rev:1;)
alert tcp $HOME_NET any -> [103.16.27.91] 5874 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203013; rev:1;)
alert tcp $HOME_NET any -> [108.49.159.2] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203014; rev:1;)
alert tcp $HOME_NET any -> [89.46.222.232] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203015; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.27] 1616 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203016; rev:1;)
alert tcp $HOME_NET any -> [31.31.77.229] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203017; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.33] 7798 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203018; rev:1;)
alert tcp $HOME_NET any -> [94.242.213.178] 3360 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203019; rev:1;)
alert tcp $HOME_NET any -> [95.183.52.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203020; rev:1;)
alert tcp $HOME_NET any -> [185.189.112.142] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203021; rev:1;)
alert tcp $HOME_NET any -> [64.71.166.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203022; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.142] 1986 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203023; rev:1;)
alert tcp $HOME_NET any -> [94.242.213.97] 3360 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203024; rev:1;)
alert tcp $HOME_NET any -> [173.254.252.209] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203025; rev:1;)
alert tcp $HOME_NET any -> [79.124.78.81] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203026; rev:1;)
alert tcp $HOME_NET any -> [154.16.220.117] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203027; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.186] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203028; rev:1;)
alert tcp $HOME_NET any -> [134.19.176.150] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203029; rev:1;)
alert tcp $HOME_NET any -> [210.16.101.88] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203030; rev:1;)
alert tcp $HOME_NET any -> [51.254.164.249] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203031; rev:1;)
alert tcp $HOME_NET any -> [89.34.99.133] 2016 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203032; rev:1;)
alert tcp $HOME_NET any -> [91.139.236.92] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203033; rev:1;)
alert tcp $HOME_NET any -> [172.93.37.143] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203034; rev:1;)
alert tcp $HOME_NET any -> [216.244.71.140] 3040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203035; rev:1;)
alert tcp $HOME_NET any -> [219.92.199.191] 4442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203036; rev:1;)
alert tcp $HOME_NET any -> [37.59.183.142] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203037; rev:1;)
alert tcp $HOME_NET any -> [84.40.65.85] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203038; rev:1;)
alert tcp $HOME_NET any -> [5.152.210.165] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203039; rev:1;)
alert tcp $HOME_NET any -> [93.190.142.100] 8090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203040; rev:1;)
alert tcp $HOME_NET any -> [172.81.178.93] 1033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203041; rev:1;)
alert tcp $HOME_NET any -> [37.230.228.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203042; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.28] 9977 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203043; rev:1;)
alert tcp $HOME_NET any -> [172.93.148.175] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203044; rev:1;)
alert tcp $HOME_NET any -> [213.184.126.153] 5001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203045; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.236] 8073 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203046; rev:1;)
alert tcp $HOME_NET any -> [93.123.73.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203047; rev:1;)
alert tcp $HOME_NET any -> [87.121.76.172] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203048; rev:1;)
alert tcp $HOME_NET any -> [185.40.20.42] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203049; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.73] 4111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203050; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.143] 2098 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203051; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.175] 7524 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203052; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.219] 3088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203053; rev:1;)
alert tcp $HOME_NET any -> [212.7.218.64] 19989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203054; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.33] 7793 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203055; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.196] 2024 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203056; rev:1;)
alert tcp $HOME_NET any -> [188.165.62.11] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203057; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.170] 7054 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203058; rev:1;)
alert tcp $HOME_NET any -> [210.16.102.142] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203059; rev:1;)
alert tcp $HOME_NET any -> [209.141.38.25] 3479 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203060; rev:1;)
alert tcp $HOME_NET any -> [78.130.176.162] 54669 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203061; rev:1;)
alert tcp $HOME_NET any -> [5.187.49.227] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203062; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.190] 7088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203063; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.52] 4644 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203064; rev:1;)
alert tcp $HOME_NET any -> [162.248.75.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203065; rev:1;)
alert tcp $HOME_NET any -> [24.13.179.247] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203066; rev:1;)
alert tcp $HOME_NET any -> [185.189.112.134] 8091 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203067; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.200] 4571 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203068; rev:1;)
alert tcp $HOME_NET any -> [144.208.126.172] 1995 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203069; rev:1;)
alert tcp $HOME_NET any -> [104.171.113.230] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203070; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.15] 7928 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203071; rev:1;)
alert tcp $HOME_NET any -> [64.15.75.83] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203072; rev:1;)
alert tcp $HOME_NET any -> [195.62.52.100] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203073; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.32] 7278 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203074; rev:1;)
alert tcp $HOME_NET any -> [209.141.39.145] 9005 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203075; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.245] 7000 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203076; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.142] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203077; rev:1;)
alert tcp $HOME_NET any -> [212.7.208.88] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203078; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.169] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203079; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.9] 2176 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203080; rev:1;)
alert tcp $HOME_NET any -> [54.85.217.174] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203081; rev:1;)
alert tcp $HOME_NET any -> [192.253.242.233] 6061 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203082; rev:1;)
alert tcp $HOME_NET any -> [210.186.224.62] 4442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203083; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.36] 100 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203084; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.21] 9876 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203085; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.153] 7789 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203086; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.171] 2017 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203087; rev:1;)
alert tcp $HOME_NET any -> [37.49.224.26] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203088; rev:1;)
alert tcp $HOME_NET any -> [146.255.79.170] 8190 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203089; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.15] 9220 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203090; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.42] 3012 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203091; rev:1;)
alert tcp $HOME_NET any -> [192.166.218.230] 1779 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203092; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.130] 2014 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203093; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.34] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203094; rev:1;)
alert tcp $HOME_NET any -> [5.187.49.226] 8088 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203095; rev:1;)
alert tcp $HOME_NET any -> [23.227.201.27] 5053 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203096; rev:1;)
alert tcp $HOME_NET any -> [185.141.27.19] 1008 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203097; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.56] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203098; rev:1;)
alert tcp $HOME_NET any -> [37.10.71.146] 1961 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203099; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.89] 3545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203100; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.126] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203101; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.37] 64666 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203102; rev:1;)
alert tcp $HOME_NET any -> [185.153.229.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203103; rev:1;)
alert tcp $HOME_NET any -> [95.141.43.219] 2204 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203104; rev:1;)
alert tcp $HOME_NET any -> [204.152.219.112] 1010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203105; rev:1;)
alert tcp $HOME_NET any -> [146.71.87.103] 1992 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203106; rev:1;)
alert tcp $HOME_NET any -> [185.208.170.155] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203107; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.145] 2888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203108; rev:1;)
alert tcp $HOME_NET any -> [95.167.151.228] 7769 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203109; rev:1;)
alert tcp $HOME_NET any -> [195.88.208.202] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203110; rev:1;)
alert tcp $HOME_NET any -> [212.7.218.143] 7543 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203111; rev:1;)
alert tcp $HOME_NET any -> [84.238.198.166] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203112; rev:1;)
alert tcp $HOME_NET any -> [172.82.162.246] 8090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203113; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.34] 2077 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203114; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.234] 1903 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203115; rev:1;)
alert tcp $HOME_NET any -> [188.165.26.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203116; rev:1;)
alert tcp $HOME_NET any -> [193.105.134.78] 1472 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203117; rev:1;)
alert tcp $HOME_NET any -> [89.35.228.232] 4044 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203118; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.146] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203119; rev:1;)
alert tcp $HOME_NET any -> [192.237.180.245] 667 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203120; rev:1;)
alert tcp $HOME_NET any -> [176.10.124.226] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203121; rev:1;)
alert tcp $HOME_NET any -> [5.133.15.5] 4245 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203122; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.186] 1101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203123; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.200] 9010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203124; rev:1;)
alert tcp $HOME_NET any -> [151.80.84.2] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203125; rev:1;)
alert tcp $HOME_NET any -> [185.120.144.151] 1906 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203126; rev:1;)
alert tcp $HOME_NET any -> [204.152.219.93] 4466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203127; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.156] 4321 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203128; rev:1;)
alert tcp $HOME_NET any -> [146.71.87.11] 1989 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203129; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.128] 3445 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203130; rev:1;)
alert tcp $HOME_NET any -> [38.95.111.202] 5577 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203131; rev:1;)
alert tcp $HOME_NET any -> [66.11.124.213] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203132; rev:1;)
alert tcp $HOME_NET any -> [185.75.59.209] 7719 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203133; rev:1;)
alert tcp $HOME_NET any -> [172.93.148.168] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203134; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.158] 7033 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203135; rev:1;)
alert tcp $HOME_NET any -> [181.215.247.123] 1605 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203136; rev:1;)
alert tcp $HOME_NET any -> [185.208.210.40] 1334 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203137; rev:1;)
alert tcp $HOME_NET any -> [213.184.126.131] 6022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203138; rev:1;)
alert tcp $HOME_NET any -> [185.30.144.205] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203139; rev:1;)
alert tcp $HOME_NET any -> [81.95.123.210] 1985 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203140; rev:1;)
alert tcp $HOME_NET any -> [91.214.114.179] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203141; rev:1;)
alert tcp $HOME_NET any -> [131.153.37.30] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203142; rev:1;)
alert tcp $HOME_NET any -> [69.247.60.183] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203143; rev:1;)
alert tcp $HOME_NET any -> [205.185.117.108] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203144; rev:1;)
alert tcp $HOME_NET any -> [209.200.27.76] 4343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203145; rev:1;)
alert tcp $HOME_NET any -> [193.124.117.102] 449 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203146; rev:1;)
alert tcp $HOME_NET any -> [185.172.31.111] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203147; rev:1;)
alert tcp $HOME_NET any -> [213.152.161.149] 3487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203148; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.165] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203149; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.40] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203150; rev:1;)
alert tcp $HOME_NET any -> [94.242.252.36] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203151; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.10] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203152; rev:1;)
alert tcp $HOME_NET any -> [94.242.208.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203153; rev:1;)
alert tcp $HOME_NET any -> [146.185.254.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203154; rev:1;)
alert tcp $HOME_NET any -> [37.59.183.143] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203155; rev:1;)
alert tcp $HOME_NET any -> [37.59.80.99] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203156; rev:1;)
alert tcp $HOME_NET any -> [5.8.88.194] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203157; rev:1;)
alert tcp $HOME_NET any -> [94.23.170.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203158; rev:1;)
alert tcp $HOME_NET any -> [94.74.81.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203159; rev:1;)
alert tcp $HOME_NET any -> [5.188.231.125] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203160; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.96] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203161; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.78] 2022 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203162; rev:1;)
alert tcp $HOME_NET any -> [103.68.223.134] 6329 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203163; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.35] 2446 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203164; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.89] 7262 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203165; rev:1;)
alert tcp $HOME_NET any -> [216.244.79.18] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203166; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.142] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203167; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.35] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203168; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.141] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203169; rev:1;)
alert tcp $HOME_NET any -> [86.99.122.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203170; rev:1;)
alert tcp $HOME_NET any -> [95.141.43.199] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203171; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.125] 4087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203172; rev:1;)
alert tcp $HOME_NET any -> [209.222.111.183] 4545 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203173; rev:1;)
alert tcp $HOME_NET any -> [172.94.117.219] 1609 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203174; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.144] 3087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203175; rev:1;)
alert tcp $HOME_NET any -> [31.171.155.68] 9455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203176; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.224] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203177; rev:1;)
alert tcp $HOME_NET any -> [212.7.218.60] 2010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203178; rev:1;)
alert tcp $HOME_NET any -> [189.84.113.83] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203179; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.143] 2322 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203180; rev:1;)
alert tcp $HOME_NET any -> [23.253.243.44] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203181; rev:1;)
alert tcp $HOME_NET any -> [190.34.158.250] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203182; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.145] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203183; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.98] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203184; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203185; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.50] 4055 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203186; rev:1;)
alert tcp $HOME_NET any -> [194.68.59.77] 3443 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203187; rev:1;)
alert tcp $HOME_NET any -> [186.114.237.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203188; rev:1;)
alert tcp $HOME_NET any -> [93.99.68.140] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203189; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.54] 2558 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203190; rev:1;)
alert tcp $HOME_NET any -> [194.87.111.85] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203191; rev:1;)
alert tcp $HOME_NET any -> [46.160.165.31] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203192; rev:1;)
alert tcp $HOME_NET any -> [83.234.136.55] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203193; rev:1;)
alert tcp $HOME_NET any -> [46.160.165.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203194; rev:1;)
alert tcp $HOME_NET any -> [195.133.197.179] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203195; rev:1;)
alert tcp $HOME_NET any -> [186.103.161.204] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203196; rev:1;)
alert tcp $HOME_NET any -> [91.206.4.216] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203197; rev:1;)
alert tcp $HOME_NET any -> [154.16.49.145] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203198; rev:1;)
alert tcp $HOME_NET any -> [179.33.115.200] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203199; rev:1;)
alert tcp $HOME_NET any -> [117.200.11.11] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203200; rev:1;)
alert tcp $HOME_NET any -> [161.10.39.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203201; rev:1;)
alert tcp $HOME_NET any -> [200.28.113.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203202; rev:1;)
alert tcp $HOME_NET any -> [206.221.186.201] 1414 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203203; rev:1;)
alert tcp $HOME_NET any -> [85.228.193.94] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203204; rev:1;)
alert tcp $HOME_NET any -> [195.62.53.213] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203205; rev:1;)
alert tcp $HOME_NET any -> [195.2.252.178] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203206; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.55] 2426 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203207; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.29] 2559 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203208; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.27] 6442 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203209; rev:1;)
alert tcp $HOME_NET any -> [104.243.37.52] 7070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203210; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.53] 41969 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203211; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.198] 5564 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203212; rev:1;)
alert tcp $HOME_NET any -> [89.231.13.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203213; rev:1;)
alert tcp $HOME_NET any -> [163.53.206.187] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203214; rev:1;)
alert tcp $HOME_NET any -> [89.231.13.18] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203215; rev:1;)
alert tcp $HOME_NET any -> [161.10.192.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203216; rev:1;)
alert tcp $HOME_NET any -> [159.224.26.79] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203217; rev:1;)
alert tcp $HOME_NET any -> [195.69.196.77] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203218; rev:1;)
alert tcp $HOME_NET any -> [94.42.91.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203219; rev:1;)
alert tcp $HOME_NET any -> [118.91.178.121] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203220; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.29] 1609 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203221; rev:1;)
alert tcp $HOME_NET any -> [23.227.201.157] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203222; rev:1;)
alert tcp $HOME_NET any -> [191.7.30.30] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203223; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.145] 7171 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203224; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.48] 6464 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203225; rev:1;)
alert tcp $HOME_NET any -> [95.141.43.196] 6660 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203226; rev:1;)
alert tcp $HOME_NET any -> [213.183.40.11] 9797 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203227; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.249] 4487 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203228; rev:1;)
alert tcp $HOME_NET any -> [163.47.20.60] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203229; rev:1;)
alert tcp $HOME_NET any -> [31.215.129.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203230; rev:1;)
alert tcp $HOME_NET any -> [212.24.109.200] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203231; rev:1;)
alert tcp $HOME_NET any -> [188.255.249.27] 445 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203232; rev:1;)
alert tcp $HOME_NET any -> [121.41.25.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203233; rev:1;)
alert tcp $HOME_NET any -> [107.181.187.141] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203234; rev:1;)
alert tcp $HOME_NET any -> [94.27.36.66] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203235; rev:1;)
alert tcp $HOME_NET any -> [212.24.110.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203236; rev:1;)
alert tcp $HOME_NET any -> [89.231.13.27] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203237; rev:1;)
alert tcp $HOME_NET any -> [89.231.13.18] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203238; rev:1;)
alert tcp $HOME_NET any -> [212.24.110.154] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203239; rev:1;)
alert tcp $HOME_NET any -> [67.130.166.121] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203240; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.217] 3001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203241; rev:1;)
alert tcp $HOME_NET any -> [62.113.202.70] 5643 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203242; rev:1;)
alert tcp $HOME_NET any -> [212.24.109.218] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203243; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.141] 1506 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203244; rev:1;)
alert tcp $HOME_NET any -> [154.16.220.106] 20901 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203245; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.212] 54689 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203246; rev:1;)
alert tcp $HOME_NET any -> [154.16.220.161] 1101 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203247; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.121] 7760 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203248; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.44] 6466 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203249; rev:1;)
alert tcp $HOME_NET any -> [46.183.222.37] 4040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203250; rev:1;)
alert tcp $HOME_NET any -> [104.153.108.150] 3281 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203251; rev:1;)
alert tcp $HOME_NET any -> [95.140.125.100] 9060 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203252; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.67] 1996 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203253; rev:1;)
alert tcp $HOME_NET any -> [185.145.45.228] 9018 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203254; rev:1;)
alert tcp $HOME_NET any -> [185.84.181.69] 2245 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203255; rev:1;)
alert tcp $HOME_NET any -> [23.105.128.147] 2070 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203256; rev:1;)
alert tcp $HOME_NET any -> [50.2.13.182] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203257; rev:1;)
alert tcp $HOME_NET any -> [173.254.223.124] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203258; rev:1;)
alert tcp $HOME_NET any -> [184.75.210.206] 7262 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203259; rev:1;)
alert tcp $HOME_NET any -> [176.9.99.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203260; rev:1;)
alert tcp $HOME_NET any -> [185.101.34.119] 1933 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203261; rev:1;)
alert tcp $HOME_NET any -> [184.75.209.178] 9001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203262; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.188] 8040 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203263; rev:1;)
alert tcp $HOME_NET any -> [47.88.17.2] 25432 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203264; rev:1;)
alert tcp $HOME_NET any -> [59.98.97.170] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203265; rev:1;)
alert tcp $HOME_NET any -> [89.223.31.232] 443 (msg:"SSLBL: Traffic to malicious host (likely Corebot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203266; rev:1;)
alert tcp $HOME_NET any -> [181.234.125.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203267; rev:1;)
alert tcp $HOME_NET any -> [181.234.131.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203268; rev:1;)
alert tcp $HOME_NET any -> [184.75.209.164] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203269; rev:1;)
alert tcp $HOME_NET any -> [181.234.110.59] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203270; rev:1;)
alert tcp $HOME_NET any -> [217.164.82.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203271; rev:1;)
alert tcp $HOME_NET any -> [70.169.12.141] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203272; rev:1;)
alert tcp $HOME_NET any -> [213.183.58.54] 7956 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203273; rev:1;)
alert tcp $HOME_NET any -> [95.104.2.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203274; rev:1;)
alert tcp $HOME_NET any -> [195.225.231.78] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203275; rev:1;)
alert tcp $HOME_NET any -> [213.208.129.195] 27180 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203276; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.194] 5050 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203277; rev:1;)
alert tcp $HOME_NET any -> [198.12.96.155] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203278; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.141] 1030 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203279; rev:1;)
alert tcp $HOME_NET any -> [217.19.223.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203280; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.198] 2727 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203281; rev:1;)
alert tcp $HOME_NET any -> [123.206.198.12] 8888 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203282; rev:1;)
alert tcp $HOME_NET any -> [137.74.103.16] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203283; rev:1;)
alert tcp $HOME_NET any -> [37.235.49.220] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203284; rev:1;)
alert tcp $HOME_NET any -> [117.199.204.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203285; rev:1;)
alert tcp $HOME_NET any -> [185.101.34.69] 5567 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203286; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.240] 9888 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203287; rev:1;)
alert tcp $HOME_NET any -> [89.35.228.205] 9090 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203288; rev:1;)
alert tcp $HOME_NET any -> [163.47.20.67] 1975 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203289; rev:1;)
alert tcp $HOME_NET any -> [154.16.201.3] 21777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203290; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.240] 1111 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203291; rev:1;)
alert tcp $HOME_NET any -> [49.156.45.139] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203292; rev:1;)
alert tcp $HOME_NET any -> [179.43.158.169] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203293; rev:1;)
alert tcp $HOME_NET any -> [115.186.139.104] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203294; rev:1;)
alert tcp $HOME_NET any -> [195.225.231.79] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203295; rev:1;)
alert tcp $HOME_NET any -> [160.202.163.251] 7755 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203296; rev:1;)
alert tcp $HOME_NET any -> [82.153.121.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203297; rev:1;)
alert tcp $HOME_NET any -> [87.120.254.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203298; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.211] 17387 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203299; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.248] 8854 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203300; rev:1;)
alert tcp $HOME_NET any -> [81.95.126.146] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203301; rev:1;)
alert tcp $HOME_NET any -> [198.100.127.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203302; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.3] 9455 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203303; rev:1;)
alert tcp $HOME_NET any -> [204.152.219.120] 2556 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203304; rev:1;)
alert tcp $HOME_NET any -> [46.183.217.22] 1608 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203305; rev:1;)
alert tcp $HOME_NET any -> [84.200.65.35] 7274 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203306; rev:1;)
alert tcp $HOME_NET any -> [45.63.7.73] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203307; rev:1;)
alert tcp $HOME_NET any -> [198.100.157.155] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203308; rev:1;)
alert tcp $HOME_NET any -> [151.80.84.3] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203309; rev:1;)
alert tcp $HOME_NET any -> [77.48.28.232] 9978 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203310; rev:1;)
alert tcp $HOME_NET any -> [62.141.34.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203311; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.138] 2010 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203312; rev:1;)
alert tcp $HOME_NET any -> [82.146.46.207] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203313; rev:1;)
alert tcp $HOME_NET any -> [24.184.200.177] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203314; rev:1;)
alert tcp $HOME_NET any -> [96.9.69.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203315; rev:1;)
alert tcp $HOME_NET any -> [5.172.34.138] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203316; rev:1;)
alert tcp $HOME_NET any -> [186.27.192.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203317; rev:1;)
alert tcp $HOME_NET any -> [188.124.170.93] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203318; rev:1;)
alert tcp $HOME_NET any -> [5.101.4.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Neutrino C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203319; rev:1;)
alert tcp $HOME_NET any -> [117.99.183.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203320; rev:1;)
alert tcp $HOME_NET any -> [46.102.152.208] 1350 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203321; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.250] 7777 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203322; rev:1;)
alert tcp $HOME_NET any -> [5.175.225.33] 1177 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203323; rev:1;)
alert tcp $HOME_NET any -> [186.208.106.234] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203324; rev:1;)
alert tcp $HOME_NET any -> [154.73.28.239] 78 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203325; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.172] 8484 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203326; rev:1;)
alert tcp $HOME_NET any -> [186.107.17.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203327; rev:1;)
alert tcp $HOME_NET any -> [104.153.108.111] 9200 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203328; rev:1;)
alert tcp $HOME_NET any -> [195.88.209.221] 4413 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203329; rev:1;)
alert tcp $HOME_NET any -> [185.92.239.14] 7755 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203330; rev:1;)
alert tcp $HOME_NET any -> [217.197.39.1] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203331; rev:1;)
alert tcp $HOME_NET any -> [178.32.255.130] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203332; rev:1;)
alert tcp $HOME_NET any -> [91.219.28.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203333; rev:1;)
alert tcp $HOME_NET any -> [181.215.47.182] 2087 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203334; rev:1;)
alert tcp $HOME_NET any -> [178.175.138.146] 1011 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203335; rev:1;)
alert tcp $HOME_NET any -> [174.127.99.178] 5001 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203336; rev:1;)
alert tcp $HOME_NET any -> [79.172.242.28] 7272 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203337; rev:1;)
alert tcp $HOME_NET any -> [195.54.162.230] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203338; rev:1;)
alert tcp $HOME_NET any -> [71.79.50.183] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203339; rev:1;)
alert tcp $HOME_NET any -> [208.87.225.248] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203340; rev:1;)
alert tcp $HOME_NET any -> [185.75.59.226] 9945 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203341; rev:1;)
alert tcp $HOME_NET any -> [45.51.20.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203342; rev:1;)
alert tcp $HOME_NET any -> [202.195.246.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203343; rev:1;)
alert tcp $HOME_NET any -> [149.62.168.5] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203344; rev:1;)
alert tcp $HOME_NET any -> [185.98.86.242] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203345; rev:1;)
alert tcp $HOME_NET any -> [81.12.229.190] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203346; rev:1;)
alert tcp $HOME_NET any -> [194.1.238.206] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203347; rev:1;)
alert tcp $HOME_NET any -> [68.169.52.216] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203348; rev:1;)
alert tcp $HOME_NET any -> [185.145.253.60] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203349; rev:1;)
alert tcp $HOME_NET any -> [216.66.0.143] 5353 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203350; rev:1;)
alert tcp $HOME_NET any -> [104.236.252.178] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203351; rev:1;)
alert tcp $HOME_NET any -> [217.182.53.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203352; rev:1;)
alert tcp $HOME_NET any -> [203.76.105.82] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203353; rev:1;)
alert tcp $HOME_NET any -> [178.62.65.89] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203354; rev:1;)
alert tcp $HOME_NET any -> [158.69.209.193] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203355; rev:1;)
alert tcp $HOME_NET any -> [37.120.172.171] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203356; rev:1;)
alert tcp $HOME_NET any -> [8.8.247.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203357; rev:1;)
alert tcp $HOME_NET any -> [107.170.0.14] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203358; rev:1;)
alert tcp $HOME_NET any -> [92.63.111.201] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203359; rev:1;)
alert tcp $HOME_NET any -> [107.181.255.244] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203360; rev:1;)
alert tcp $HOME_NET any -> [107.170.4.194] 943 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203361; rev:1;)
alert tcp $HOME_NET any -> [107.170.146.72] 44343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203362; rev:1;)
alert tcp $HOME_NET any -> [203.92.62.46] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203363; rev:1;)
alert tcp $HOME_NET any -> [117.204.131.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203364; rev:1;)
alert tcp $HOME_NET any -> [161.10.212.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203365; rev:1;)
alert tcp $HOME_NET any -> [185.35.139.248] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203366; rev:1;)
alert tcp $HOME_NET any -> [200.116.206.58] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203367; rev:1;)
alert tcp $HOME_NET any -> [93.170.104.145] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203368; rev:1;)
alert tcp $HOME_NET any -> [200.120.214.150] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203369; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203370; rev:1;)
alert tcp $HOME_NET any -> [175.136.183.22] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203371; rev:1;)
alert tcp $HOME_NET any -> [91.200.14.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203372; rev:1;)
alert tcp $HOME_NET any -> [183.87.11.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203373; rev:1;)
alert tcp $HOME_NET any -> [83.141.2.155] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203374; rev:1;)
alert tcp $HOME_NET any -> [103.4.18.170] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203375; rev:1;)
alert tcp $HOME_NET any -> [5.237.63.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203376; rev:1;)
alert tcp $HOME_NET any -> [35.187.46.239] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203377; rev:1;)
alert tcp $HOME_NET any -> [52.38.159.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203378; rev:1;)
alert tcp $HOME_NET any -> [64.250.115.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203379; rev:1;)
alert tcp $HOME_NET any -> [190.99.203.251] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203380; rev:1;)
alert tcp $HOME_NET any -> [185.35.138.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203381; rev:1;)
alert tcp $HOME_NET any -> [186.112.78.150] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203382; rev:1;)
alert tcp $HOME_NET any -> [190.68.87.97] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203383; rev:1;)
alert tcp $HOME_NET any -> [85.143.214.43] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203384; rev:1;)
alert tcp $HOME_NET any -> [36.66.107.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203385; rev:1;)
alert tcp $HOME_NET any -> [50.198.141.161] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203386; rev:1;)
alert tcp $HOME_NET any -> [94.102.55.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203387; rev:1;)
alert tcp $HOME_NET any -> [186.112.44.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203388; rev:1;)
alert tcp $HOME_NET any -> [178.57.222.136] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203389; rev:1;)
alert tcp $HOME_NET any -> [89.33.64.134] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203390; rev:1;)
alert tcp $HOME_NET any -> [107.181.187.101] 443 (msg:"SSLBL: Traffic to malicious host (likely PandaZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203391; rev:1;)
alert tcp $HOME_NET any -> [191.110.143.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203392; rev:1;)
alert tcp $HOME_NET any -> [71.233.66.243] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203393; rev:1;)
alert tcp $HOME_NET any -> [61.3.147.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203394; rev:1;)
alert tcp $HOME_NET any -> [52.25.108.4] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203395; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.72] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203396; rev:1;)
alert tcp $HOME_NET any -> [186.114.103.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203397; rev:1;)
alert tcp $HOME_NET any -> [5.135.186.189] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203398; rev:1;)
alert tcp $HOME_NET any -> [192.254.133.59] 4143 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203399; rev:1;)
alert tcp $HOME_NET any -> [66.165.13.205] 32103 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203400; rev:1;)
alert tcp $HOME_NET any -> [84.42.159.138] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203401; rev:1;)
alert tcp $HOME_NET any -> [47.188.109.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203402; rev:1;)
alert tcp $HOME_NET any -> [104.236.181.85] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203403; rev:1;)
alert tcp $HOME_NET any -> [149.56.9.218] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203404; rev:1;)
alert tcp $HOME_NET any -> [37.187.57.57] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203405; rev:1;)
alert tcp $HOME_NET any -> [179.32.209.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203406; rev:1;)
alert tcp $HOME_NET any -> [186.27.246.62] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203407; rev:1;)
alert tcp $HOME_NET any -> [67.87.108.136] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203408; rev:1;)
alert tcp $HOME_NET any -> [217.182.45.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203409; rev:1;)
alert tcp $HOME_NET any -> [144.217.16.189] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203410; rev:1;)
alert tcp $HOME_NET any -> [97.103.16.213] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203411; rev:1;)
alert tcp $HOME_NET any -> [174.135.45.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203412; rev:1;)
alert tcp $HOME_NET any -> [59.125.50.132] 44443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203413; rev:1;)
alert tcp $HOME_NET any -> [95.158.148.249] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203414; rev:1;)
alert tcp $HOME_NET any -> [58.182.10.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203415; rev:1;)
alert tcp $HOME_NET any -> [62.76.177.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203416; rev:1;)
alert tcp $HOME_NET any -> [190.67.98.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203417; rev:1;)
alert tcp $HOME_NET any -> [80.51.120.132] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203418; rev:1;)
alert tcp $HOME_NET any -> [98.194.132.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203419; rev:1;)
alert tcp $HOME_NET any -> [89.242.200.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203420; rev:1;)
alert tcp $HOME_NET any -> [190.66.212.225] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203421; rev:1;)
alert tcp $HOME_NET any -> [193.238.152.67] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203422; rev:1;)
alert tcp $HOME_NET any -> [117.221.26.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203423; rev:1;)
alert tcp $HOME_NET any -> [139.129.250.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203424; rev:1;)
alert tcp $HOME_NET any -> [45.74.41.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203425; rev:1;)
alert tcp $HOME_NET any -> [113.167.98.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203426; rev:1;)
alert tcp $HOME_NET any -> [161.18.100.218] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203427; rev:1;)
alert tcp $HOME_NET any -> [186.27.233.210] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203428; rev:1;)
alert tcp $HOME_NET any -> [2.220.18.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203429; rev:1;)
alert tcp $HOME_NET any -> [120.24.84.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203430; rev:1;)
alert tcp $HOME_NET any -> [73.27.36.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203431; rev:1;)
alert tcp $HOME_NET any -> [150.31.38.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203432; rev:1;)
alert tcp $HOME_NET any -> [182.18.152.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203433; rev:1;)
alert tcp $HOME_NET any -> [185.16.41.108] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203434; rev:1;)
alert tcp $HOME_NET any -> [185.98.86.131] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203435; rev:1;)
alert tcp $HOME_NET any -> [95.68.112.253] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203436; rev:1;)
alert tcp $HOME_NET any -> [97.126.1.61] 990 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203437; rev:1;)
alert tcp $HOME_NET any -> [173.25.234.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203438; rev:1;)
alert tcp $HOME_NET any -> [104.207.153.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203439; rev:1;)
alert tcp $HOME_NET any -> [190.238.62.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203440; rev:1;)
alert tcp $HOME_NET any -> [67.231.16.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203441; rev:1;)
alert tcp $HOME_NET any -> [89.163.220.168] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203442; rev:1;)
alert tcp $HOME_NET any -> [62.109.13.107] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203443; rev:1;)
alert tcp $HOME_NET any -> [195.174.126.121] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203444; rev:1;)
alert tcp $HOME_NET any -> [205.186.129.254] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203445; rev:1;)
alert tcp $HOME_NET any -> [91.203.145.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203446; rev:1;)
alert tcp $HOME_NET any -> [192.3.165.10] 8043 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203447; rev:1;)
alert tcp $HOME_NET any -> [190.69.239.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203448; rev:1;)
alert tcp $HOME_NET any -> [185.98.86.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203449; rev:1;)
alert tcp $HOME_NET any -> [59.96.182.66] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203450; rev:1;)
alert tcp $HOME_NET any -> [85.85.140.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203451; rev:1;)
alert tcp $HOME_NET any -> [24.6.98.88] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203452; rev:1;)
alert tcp $HOME_NET any -> [71.88.202.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203453; rev:1;)
alert tcp $HOME_NET any -> [76.177.4.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203454; rev:1;)
alert tcp $HOME_NET any -> [73.176.255.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203455; rev:1;)
alert tcp $HOME_NET any -> [89.154.213.154] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203456; rev:1;)
alert tcp $HOME_NET any -> [203.92.62.46] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203457; rev:1;)
alert tcp $HOME_NET any -> [27.3.86.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203458; rev:1;)
alert tcp $HOME_NET any -> [105.227.190.124] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203459; rev:1;)
alert tcp $HOME_NET any -> [5.188.223.7] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203460; rev:1;)
alert tcp $HOME_NET any -> [193.0.178.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203461; rev:1;)
alert tcp $HOME_NET any -> [62.75.197.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203462; rev:1;)
alert tcp $HOME_NET any -> [171.61.232.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203463; rev:1;)
alert tcp $HOME_NET any -> [105.224.196.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203464; rev:1;)
alert tcp $HOME_NET any -> [166.149.168.187] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203465; rev:1;)
alert tcp $HOME_NET any -> [74.193.105.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203466; rev:1;)
alert tcp $HOME_NET any -> [180.93.69.228] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203467; rev:1;)
alert tcp $HOME_NET any -> [74.138.222.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203468; rev:1;)
alert tcp $HOME_NET any -> [31.14.145.250] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203469; rev:1;)
alert tcp $HOME_NET any -> [2.126.55.140] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203470; rev:1;)
alert tcp $HOME_NET any -> [185.80.53.125] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203471; rev:1;)
alert tcp $HOME_NET any -> [98.191.105.101] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203472; rev:1;)
alert tcp $HOME_NET any -> [47.22.21.180] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203473; rev:1;)
alert tcp $HOME_NET any -> [5.196.201.100] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203474; rev:1;)
alert tcp $HOME_NET any -> [78.190.54.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203475; rev:1;)
alert tcp $HOME_NET any -> [190.138.249.45] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203476; rev:1;)
alert tcp $HOME_NET any -> [201.232.32.124] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203477; rev:1;)
alert tcp $HOME_NET any -> [24.119.14.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203478; rev:1;)
alert tcp $HOME_NET any -> [74.5.136.50] 990 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203479; rev:1;)
alert tcp $HOME_NET any -> [116.108.114.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203480; rev:1;)
alert tcp $HOME_NET any -> [70.48.48.240] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203481; rev:1;)
alert tcp $HOME_NET any -> [178.32.107.190] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203482; rev:1;)
alert tcp $HOME_NET any -> [124.171.125.94] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203483; rev:1;)
alert tcp $HOME_NET any -> [73.26.63.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203484; rev:1;)
alert tcp $HOME_NET any -> [50.102.69.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203485; rev:1;)
alert tcp $HOME_NET any -> [217.13.119.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203486; rev:1;)
alert tcp $HOME_NET any -> [179.49.120.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203487; rev:1;)
alert tcp $HOME_NET any -> [8.8.247.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203488; rev:1;)
alert tcp $HOME_NET any -> [198.167.136.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203489; rev:1;)
alert tcp $HOME_NET any -> [122.174.13.63] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203490; rev:1;)
alert tcp $HOME_NET any -> [27.111.40.234] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203491; rev:1;)
alert tcp $HOME_NET any -> [190.99.143.23] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203492; rev:1;)
alert tcp $HOME_NET any -> [76.74.178.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203493; rev:1;)
alert tcp $HOME_NET any -> [185.181.9.40] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203494; rev:1;)
alert tcp $HOME_NET any -> [91.227.18.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203495; rev:1;)
alert tcp $HOME_NET any -> [200.120.214.150] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203496; rev:1;)
alert tcp $HOME_NET any -> [54.164.51.39] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203497; rev:1;)
alert tcp $HOME_NET any -> [144.217.33.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203498; rev:1;)
alert tcp $HOME_NET any -> [95.59.26.137] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203499; rev:1;)
alert tcp $HOME_NET any -> [85.104.229.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203500; rev:1;)
alert tcp $HOME_NET any -> [5.107.46.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203501; rev:1;)
alert tcp $HOME_NET any -> [154.16.159.122] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203502; rev:1;)
alert tcp $HOME_NET any -> [46.173.219.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203503; rev:1;)
alert tcp $HOME_NET any -> [136.243.87.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203504; rev:1;)
alert tcp $HOME_NET any -> [85.101.189.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203505; rev:1;)
alert tcp $HOME_NET any -> [185.181.10.30] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203506; rev:1;)
alert tcp $HOME_NET any -> [195.123.212.86] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203507; rev:1;)
alert tcp $HOME_NET any -> [23.239.85.14] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203508; rev:1;)
alert tcp $HOME_NET any -> [186.119.35.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203509; rev:1;)
alert tcp $HOME_NET any -> [2.190.245.212] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203510; rev:1;)
alert tcp $HOME_NET any -> [190.99.183.77] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203511; rev:1;)
alert tcp $HOME_NET any -> [191.109.33.76] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203512; rev:1;)
alert tcp $HOME_NET any -> [125.26.255.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203513; rev:1;)
alert tcp $HOME_NET any -> [103.28.71.118] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203514; rev:1;)
alert tcp $HOME_NET any -> [188.127.237.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203515; rev:1;)
alert tcp $HOME_NET any -> [190.254.235.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203516; rev:1;)
alert tcp $HOME_NET any -> [52.70.122.231] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203517; rev:1;)
alert tcp $HOME_NET any -> [159.226.92.9] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203518; rev:1;)
alert tcp $HOME_NET any -> [101.201.67.82] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203519; rev:1;)
alert tcp $HOME_NET any -> [47.18.17.114] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203520; rev:1;)
alert tcp $HOME_NET any -> [185.31.209.41] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203521; rev:1;)
alert tcp $HOME_NET any -> [178.250.243.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203522; rev:1;)
alert tcp $HOME_NET any -> [185.146.1.36] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203523; rev:1;)
alert tcp $HOME_NET any -> [80.90.203.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203524; rev:1;)
alert tcp $HOME_NET any -> [82.30.148.143] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203525; rev:1;)
alert tcp $HOME_NET any -> [5.101.120.73] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203526; rev:1;)
alert tcp $HOME_NET any -> [81.130.206.62] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203527; rev:1;)
alert tcp $HOME_NET any -> [117.220.210.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203528; rev:1;)
alert tcp $HOME_NET any -> [188.127.249.70] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203529; rev:1;)
alert tcp $HOME_NET any -> [136.243.209.34] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203530; rev:1;)
alert tcp $HOME_NET any -> [170.81.24.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203531; rev:1;)
alert tcp $HOME_NET any -> [103.17.72.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203532; rev:1;)
alert tcp $HOME_NET any -> [5.107.29.149] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203533; rev:1;)
alert tcp $HOME_NET any -> [212.116.113.184] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203534; rev:1;)
alert tcp $HOME_NET any -> [194.190.161.63] 1503 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203535; rev:1;)
alert tcp $HOME_NET any -> [188.226.154.38] 2221 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203536; rev:1;)
alert tcp $HOME_NET any -> [91.121.30.169] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203537; rev:1;)
alert tcp $HOME_NET any -> [51.254.129.140] 4443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203538; rev:1;)
alert tcp $HOME_NET any -> [186.115.225.54] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203539; rev:1;)
alert tcp $HOME_NET any -> [146.185.243.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203540; rev:1;)
alert tcp $HOME_NET any -> [52.33.54.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203541; rev:1;)
alert tcp $HOME_NET any -> [176.31.252.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Nexuslogger C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203542; rev:1;)
alert tcp $HOME_NET any -> [194.58.122.43] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203543; rev:1;)
alert tcp $HOME_NET any -> [151.248.121.8] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203544; rev:1;)
alert tcp $HOME_NET any -> [178.208.81.147] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203545; rev:1;)
alert tcp $HOME_NET any -> [213.25.134.101] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203546; rev:1;)
alert tcp $HOME_NET any -> [186.27.132.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203547; rev:1;)
alert tcp $HOME_NET any -> [185.156.179.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203548; rev:1;)
alert tcp $HOME_NET any -> [69.61.83.121] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203549; rev:1;)
alert tcp $HOME_NET any -> [109.235.76.95] 1843 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203550; rev:1;)
alert tcp $HOME_NET any -> [209.20.67.87] 5353 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203551; rev:1;)
alert tcp $HOME_NET any -> [194.150.118.25] 3101 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203552; rev:1;)
alert tcp $HOME_NET any -> [31.184.198.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203553; rev:1;)
alert tcp $HOME_NET any -> [62.221.97.151] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203554; rev:1;)
alert tcp $HOME_NET any -> [217.29.220.255] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203555; rev:1;)
alert tcp $HOME_NET any -> [144.76.2.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203556; rev:1;)
alert tcp $HOME_NET any -> [191.113.180.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203557; rev:1;)
alert tcp $HOME_NET any -> [88.202.188.35] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203558; rev:1;)
alert tcp $HOME_NET any -> [193.238.152.198] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203559; rev:1;)
alert tcp $HOME_NET any -> [190.68.232.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203560; rev:1;)
alert tcp $HOME_NET any -> [93.113.131.123] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203561; rev:1;)
alert tcp $HOME_NET any -> [79.137.13.22] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203562; rev:1;)
alert tcp $HOME_NET any -> [216.55.182.20] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203563; rev:1;)
alert tcp $HOME_NET any -> [114.215.223.85] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203564; rev:1;)
alert tcp $HOME_NET any -> [81.130.131.55] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203565; rev:1;)
alert tcp $HOME_NET any -> [84.234.75.108] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203566; rev:1;)
alert tcp $HOME_NET any -> [68.169.45.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203567; rev:1;)
alert tcp $HOME_NET any -> [62.109.2.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203568; rev:1;)
alert tcp $HOME_NET any -> [31.31.168.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203569; rev:1;)
alert tcp $HOME_NET any -> [212.227.105.182] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203570; rev:1;)
alert tcp $HOME_NET any -> [192.111.142.39] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203571; rev:1;)
alert tcp $HOME_NET any -> [209.20.67.87] 4432 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203572; rev:1;)
alert tcp $HOME_NET any -> [86.120.81.103] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203573; rev:1;)
alert tcp $HOME_NET any -> [173.212.200.226] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203574; rev:1;)
alert tcp $HOME_NET any -> [31.13.163.72] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203575; rev:1;)
alert tcp $HOME_NET any -> [107.182.236.109] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203576; rev:1;)
alert tcp $HOME_NET any -> [46.72.12.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203577; rev:1;)
alert tcp $HOME_NET any -> [93.119.123.134] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203578; rev:1;)
alert tcp $HOME_NET any -> [5.239.214.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203579; rev:1;)
alert tcp $HOME_NET any -> [91.217.90.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203580; rev:1;)
alert tcp $HOME_NET any -> [186.115.48.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203581; rev:1;)
alert tcp $HOME_NET any -> [188.227.17.6] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203582; rev:1;)
alert tcp $HOME_NET any -> [154.0.171.105] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203583; rev:1;)
alert tcp $HOME_NET any -> [77.236.97.60] 4433 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203584; rev:1;)
alert tcp $HOME_NET any -> [188.227.173.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203585; rev:1;)
alert tcp $HOME_NET any -> [82.99.60.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203586; rev:1;)
alert tcp $HOME_NET any -> [185.77.131.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203587; rev:1;)
alert tcp $HOME_NET any -> [185.15.185.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203588; rev:1;)
alert tcp $HOME_NET any -> [5.196.129.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203589; rev:1;)
alert tcp $HOME_NET any -> [94.177.189.240] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203590; rev:1;)
alert tcp $HOME_NET any -> [186.27.188.184] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203591; rev:1;)
alert tcp $HOME_NET any -> [23.94.38.151] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203592; rev:1;)
alert tcp $HOME_NET any -> [220.233.135.250] 8443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203593; rev:1;)
alert tcp $HOME_NET any -> [193.204.38.28] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203594; rev:1;)
alert tcp $HOME_NET any -> [81.147.99.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203595; rev:1;)
alert tcp $HOME_NET any -> [186.113.121.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203596; rev:1;)
alert tcp $HOME_NET any -> [5.249.154.143] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203597; rev:1;)
alert tcp $HOME_NET any -> [179.33.92.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203598; rev:1;)
alert tcp $HOME_NET any -> [92.96.1.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203599; rev:1;)
alert tcp $HOME_NET any -> [51.254.39.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203600; rev:1;)
alert tcp $HOME_NET any -> [95.81.78.201] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203601; rev:1;)
alert tcp $HOME_NET any -> [46.11.36.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203602; rev:1;)
alert tcp $HOME_NET any -> [45.55.86.6] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203603; rev:1;)
alert tcp $HOME_NET any -> [222.254.22.64] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203604; rev:1;)
alert tcp $HOME_NET any -> [186.118.237.18] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203605; rev:1;)
alert tcp $HOME_NET any -> [114.37.52.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203606; rev:1;)
alert tcp $HOME_NET any -> [31.31.9.153] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203607; rev:1;)
alert tcp $HOME_NET any -> [5.188.232.10] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203608; rev:1;)
alert tcp $HOME_NET any -> [179.32.98.86] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203609; rev:1;)
alert tcp $HOME_NET any -> [89.46.78.221] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203610; rev:1;)
alert tcp $HOME_NET any -> [85.85.138.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203611; rev:1;)
alert tcp $HOME_NET any -> [80.112.73.129] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203612; rev:1;)
alert tcp $HOME_NET any -> [92.222.129.145] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203613; rev:1;)
alert tcp $HOME_NET any -> [91.103.2.132] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203614; rev:1;)
alert tcp $HOME_NET any -> [85.214.91.74] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203615; rev:1;)
alert tcp $HOME_NET any -> [94.177.175.55] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203616; rev:1;)
alert tcp $HOME_NET any -> [91.221.37.6] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203617; rev:1;)
alert tcp $HOME_NET any -> [93.132.4.208] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203618; rev:1;)
alert tcp $HOME_NET any -> [23.227.201.27] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203619; rev:1;)
alert tcp $HOME_NET any -> [190.99.185.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203620; rev:1;)
alert tcp $HOME_NET any -> [93.189.43.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203621; rev:1;)
alert tcp $HOME_NET any -> [82.196.5.27] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203622; rev:1;)
alert tcp $HOME_NET any -> [207.35.75.110] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203623; rev:1;)
alert tcp $HOME_NET any -> [186.170.104.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203624; rev:1;)
alert tcp $HOME_NET any -> [89.223.26.112] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203625; rev:1;)
alert tcp $HOME_NET any -> [188.120.230.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203626; rev:1;)
alert tcp $HOME_NET any -> [185.101.94.187] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203627; rev:1;)
alert tcp $HOME_NET any -> [203.153.165.21] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203628; rev:1;)
alert tcp $HOME_NET any -> [192.188.58.163] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203629; rev:1;)
alert tcp $HOME_NET any -> [109.74.9.119] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203630; rev:1;)
alert tcp $HOME_NET any -> [69.43.168.214] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203631; rev:1;)
alert tcp $HOME_NET any -> [77.81.107.193] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203632; rev:1;)
alert tcp $HOME_NET any -> [77.246.149.92] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203633; rev:1;)
alert tcp $HOME_NET any -> [86.105.212.26] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203634; rev:1;)
alert tcp $HOME_NET any -> [176.9.238.164] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203635; rev:1;)
alert tcp $HOME_NET any -> [74.63.209.174] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203636; rev:1;)
alert tcp $HOME_NET any -> [212.200.111.170] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203637; rev:1;)
alert tcp $HOME_NET any -> [188.68.50.34] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203638; rev:1;)
alert tcp $HOME_NET any -> [71.6.155.196] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203639; rev:1;)
alert tcp $HOME_NET any -> [91.230.61.196] 443 (msg:"SSLBL: Traffic to malicious host (likely IcedID C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203640; rev:1;)
alert tcp $HOME_NET any -> [149.56.201.67] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203641; rev:1;)
alert tcp $HOME_NET any -> [83.54.108.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203642; rev:1;)
alert tcp $HOME_NET any -> [68.232.180.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203643; rev:1;)
alert tcp $HOME_NET any -> [201.236.219.180] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203644; rev:1;)
alert tcp $HOME_NET any -> [109.248.222.180] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203645; rev:1;)
alert tcp $HOME_NET any -> [185.48.56.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203646; rev:1;)
alert tcp $HOME_NET any -> [184.105.192.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203647; rev:1;)
alert tcp $HOME_NET any -> [216.126.199.179] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203648; rev:1;)
alert tcp $HOME_NET any -> [78.155.218.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203649; rev:1;)
alert tcp $HOME_NET any -> [91.235.129.199] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203650; rev:1;)
alert tcp $HOME_NET any -> [62.76.189.215] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203651; rev:1;)
alert tcp $HOME_NET any -> [90.63.214.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203652; rev:1;)
alert tcp $HOME_NET any -> [88.99.80.51] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203653; rev:1;)
alert tcp $HOME_NET any -> [209.95.52.140] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203654; rev:1;)
alert tcp $HOME_NET any -> [54.213.4.206] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203655; rev:1;)
alert tcp $HOME_NET any -> [5.199.129.213] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203656; rev:1;)
alert tcp $HOME_NET any -> [185.62.39.171] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203657; rev:1;)
alert tcp $HOME_NET any -> [179.33.157.217] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203658; rev:1;)
alert tcp $HOME_NET any -> [192.241.236.239] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203659; rev:1;)
alert tcp $HOME_NET any -> [216.127.161.5] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203660; rev:1;)
alert tcp $HOME_NET any -> [93.189.43.28] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203661; rev:1;)
alert tcp $HOME_NET any -> [161.18.42.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203662; rev:1;)
alert tcp $HOME_NET any -> [167.88.8.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203663; rev:1;)
alert tcp $HOME_NET any -> [176.114.3.48] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203664; rev:1;)
alert tcp $HOME_NET any -> [185.117.72.11] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203665; rev:1;)
alert tcp $HOME_NET any -> [178.218.214.138] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203666; rev:1;)
alert tcp $HOME_NET any -> [89.248.170.232] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203667; rev:1;)
alert tcp $HOME_NET any -> [79.100.73.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203668; rev:1;)
alert tcp $HOME_NET any -> [89.36.216.204] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203669; rev:1;)
alert tcp $HOME_NET any -> [85.25.236.32] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203670; rev:1;)
alert tcp $HOME_NET any -> [188.120.249.30] 4431 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203671; rev:1;)
alert tcp $HOME_NET any -> [185.118.66.80] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203672; rev:1;)
alert tcp $HOME_NET any -> [192.3.21.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203673; rev:1;)
alert tcp $HOME_NET any -> [31.24.30.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203674; rev:1;)
alert tcp $HOME_NET any -> [94.177.229.198] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203675; rev:1;)
alert tcp $HOME_NET any -> [192.189.25.148] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203676; rev:1;)
alert tcp $HOME_NET any -> [144.217.47.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203677; rev:1;)
alert tcp $HOME_NET any -> [104.222.145.137] 1805 (msg:"SSLBL: Traffic to malicious host (likely Adwind C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203678; rev:1;)
alert tcp $HOME_NET any -> [85.143.210.193] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203679; rev:1;)
alert tcp $HOME_NET any -> [178.218.78.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203680; rev:1;)
alert tcp $HOME_NET any -> [216.218.208.114] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203681; rev:1;)
alert tcp $HOME_NET any -> [192.189.25.143] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203682; rev:1;)
alert tcp $HOME_NET any -> [179.60.147.99] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203683; rev:1;)
alert tcp $HOME_NET any -> [5.149.249.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203684; rev:1;)
alert tcp $HOME_NET any -> [95.46.44.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203685; rev:1;)
alert tcp $HOME_NET any -> [154.16.245.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203686; rev:1;)
alert tcp $HOME_NET any -> [185.15.245.114] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203687; rev:1;)
alert tcp $HOME_NET any -> [172.245.62.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203688; rev:1;)
alert tcp $HOME_NET any -> [188.127.237.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203689; rev:1;)
alert tcp $HOME_NET any -> [151.242.20.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203690; rev:1;)
alert tcp $HOME_NET any -> [89.40.124.71] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203691; rev:1;)
alert tcp $HOME_NET any -> [198.24.151.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203692; rev:1;)
alert tcp $HOME_NET any -> [184.18.128.137] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203693; rev:1;)
alert tcp $HOME_NET any -> [195.133.144.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203694; rev:1;)
alert tcp $HOME_NET any -> [62.109.6.44] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203695; rev:1;)
alert tcp $HOME_NET any -> [77.246.144.227] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203696; rev:1;)
alert tcp $HOME_NET any -> [36.37.176.6] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203697; rev:1;)
alert tcp $HOME_NET any -> [88.246.171.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203698; rev:1;)
alert tcp $HOME_NET any -> [185.141.25.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203699; rev:1;)
alert tcp $HOME_NET any -> [107.171.180.198] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203700; rev:1;)
alert tcp $HOME_NET any -> [192.189.25.142] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203701; rev:1;)
alert tcp $HOME_NET any -> [62.109.12.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203702; rev:1;)
alert tcp $HOME_NET any -> [87.98.163.119] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203703; rev:1;)
alert tcp $HOME_NET any -> [185.62.189.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203704; rev:1;)
alert tcp $HOME_NET any -> [2.89.220.124] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203705; rev:1;)
alert tcp $HOME_NET any -> [185.17.120.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203706; rev:1;)
alert tcp $HOME_NET any -> [185.25.50.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203707; rev:1;)
alert tcp $HOME_NET any -> [91.134.123.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203708; rev:1;)
alert tcp $HOME_NET any -> [178.159.38.42] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203709; rev:1;)
alert tcp $HOME_NET any -> [146.148.124.166] 443 (msg:"SSLBL: Traffic to malicious host (likely Sinkhole traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203710; rev:1;)
alert tcp $HOME_NET any -> [104.223.21.3] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203711; rev:1;)
alert tcp $HOME_NET any -> [185.15.208.238] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203712; rev:1;)
alert tcp $HOME_NET any -> [83.220.168.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203713; rev:1;)
alert tcp $HOME_NET any -> [89.46.73.127] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203714; rev:1;)
alert tcp $HOME_NET any -> [71.228.17.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203715; rev:1;)
alert tcp $HOME_NET any -> [77.246.158.191] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203716; rev:1;)
alert tcp $HOME_NET any -> [37.1.213.189] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203717; rev:1;)
alert tcp $HOME_NET any -> [146.120.110.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203718; rev:1;)
alert tcp $HOME_NET any -> [188.214.179.241] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203719; rev:1;)
alert tcp $HOME_NET any -> [72.249.144.95] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203720; rev:1;)
alert tcp $HOME_NET any -> [193.28.179.165] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203721; rev:1;)
alert tcp $HOME_NET any -> [178.128.197.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203722; rev:1;)
alert tcp $HOME_NET any -> [185.25.50.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203723; rev:1;)
alert tcp $HOME_NET any -> [62.109.13.10] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203724; rev:1;)
alert tcp $HOME_NET any -> [195.123.211.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203725; rev:1;)
alert tcp $HOME_NET any -> [89.40.127.231] 80 (msg:"SSLBL: Traffic to malicious host (likely Tuhkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203726; rev:1;)
alert tcp $HOME_NET any -> [62.76.190.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203727; rev:1;)
alert tcp $HOME_NET any -> [161.139.21.48] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203728; rev:1;)
alert tcp $HOME_NET any -> [193.28.179.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203729; rev:1;)
alert tcp $HOME_NET any -> [62.109.13.55] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203730; rev:1;)
alert tcp $HOME_NET any -> [41.188.91.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203731; rev:1;)
alert tcp $HOME_NET any -> [185.31.208.248] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203732; rev:1;)
alert tcp $HOME_NET any -> [188.126.72.179] 12443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203733; rev:1;)
alert tcp $HOME_NET any -> [174.37.216.226] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203734; rev:1;)
alert tcp $HOME_NET any -> [166.78.144.68] 8343 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203735; rev:1;)
alert tcp $HOME_NET any -> [185.125.32.118] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203736; rev:1;)
alert tcp $HOME_NET any -> [193.107.111.164] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203737; rev:1;)
alert tcp $HOME_NET any -> [81.177.13.236] 447 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203738; rev:1;)
alert tcp $HOME_NET any -> [116.100.211.197] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203739; rev:1;)
alert tcp $HOME_NET any -> [83.20.96.160] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203740; rev:1;)
alert tcp $HOME_NET any -> [82.146.32.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203741; rev:1;)
alert tcp $HOME_NET any -> [137.74.194.227] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203742; rev:1;)
alert tcp $HOME_NET any -> [54.235.86.173] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203743; rev:1;)
alert tcp $HOME_NET any -> [149.210.158.54] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203744; rev:1;)
alert tcp $HOME_NET any -> [62.109.13.25] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203745; rev:1;)
alert tcp $HOME_NET any -> [62.109.13.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203746; rev:1;)
alert tcp $HOME_NET any -> [94.23.169.75] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203747; rev:1;)
alert tcp $HOME_NET any -> [62.76.189.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203748; rev:1;)
alert tcp $HOME_NET any -> [96.9.244.10] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203749; rev:1;)
alert tcp $HOME_NET any -> [78.8.109.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203750; rev:1;)
alert tcp $HOME_NET any -> [76.69.91.161] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203751; rev:1;)
alert tcp $HOME_NET any -> [93.122.165.54] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203752; rev:1;)
alert tcp $HOME_NET any -> [193.136.97.4] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203753; rev:1;)
alert tcp $HOME_NET any -> [87.254.45.29] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203754; rev:1;)
alert tcp $HOME_NET any -> [94.177.247.74] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203755; rev:1;)
alert tcp $HOME_NET any -> [79.129.123.204] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203756; rev:1;)
alert tcp $HOME_NET any -> [122.164.197.0] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203757; rev:1;)
alert tcp $HOME_NET any -> [5.187.0.177] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203758; rev:1;)
alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203759; rev:1;)
alert tcp $HOME_NET any -> [93.170.104.146] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203760; rev:1;)
alert tcp $HOME_NET any -> [94.242.54.46] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203761; rev:1;)
alert tcp $HOME_NET any -> [87.236.215.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Sofacy C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203762; rev:1;)
alert tcp $HOME_NET any -> [77.111.90.85] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203763; rev:1;)
alert tcp $HOME_NET any -> [91.240.84.90] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203764; rev:1;)
alert tcp $HOME_NET any -> [185.117.73.207] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203765; rev:1;)
alert tcp $HOME_NET any -> [93.189.43.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203766; rev:1;)
alert tcp $HOME_NET any -> [96.9.244.114] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203767; rev:1;)
alert tcp $HOME_NET any -> [91.230.60.201] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203768; rev:1;)
alert tcp $HOME_NET any -> [185.51.246.38] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203769; rev:1;)
alert tcp $HOME_NET any -> [91.107.109.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203770; rev:1;)
alert tcp $HOME_NET any -> [185.82.202.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203771; rev:1;)
alert tcp $HOME_NET any -> [185.36.102.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203772; rev:1;)
alert tcp $HOME_NET any -> [146.185.254.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203773; rev:1;)
alert tcp $HOME_NET any -> [85.17.82.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203774; rev:1;)
alert tcp $HOME_NET any -> [31.184.196.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203775; rev:1;)
alert tcp $HOME_NET any -> [31.222.167.245] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203776; rev:1;)
alert tcp $HOME_NET any -> [167.114.248.76] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203777; rev:1;)
alert tcp $HOME_NET any -> [109.248.32.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203778; rev:1;)
alert tcp $HOME_NET any -> [188.120.248.192] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203779; rev:1;)
alert tcp $HOME_NET any -> [43.225.58.212] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203780; rev:1;)
alert tcp $HOME_NET any -> [23.108.245.93] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203781; rev:1;)
alert tcp $HOME_NET any -> [213.230.210.230] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203782; rev:1;)
alert tcp $HOME_NET any -> [91.203.5.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203783; rev:1;)
alert tcp $HOME_NET any -> [151.248.123.176] 443 (msg:"SSLBL: Traffic to malicious host (likely Flokibot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203784; rev:1;)
alert tcp $HOME_NET any -> [185.75.46.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203785; rev:1;)
alert tcp $HOME_NET any -> [91.220.131.78] 50007 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203786; rev:1;)
alert tcp $HOME_NET any -> [46.105.218.106] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203787; rev:1;)
alert tcp $HOME_NET any -> [192.157.228.220] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203788; rev:1;)
alert tcp $HOME_NET any -> [197.27.36.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203789; rev:1;)
alert tcp $HOME_NET any -> [210.2.86.72] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203790; rev:1;)
alert tcp $HOME_NET any -> [162.243.47.192] 1443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203791; rev:1;)
alert tcp $HOME_NET any -> [77.246.145.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203792; rev:1;)
alert tcp $HOME_NET any -> [88.212.220.119] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203793; rev:1;)
alert tcp $HOME_NET any -> [193.28.179.153] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203794; rev:1;)
alert tcp $HOME_NET any -> [46.161.40.101] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203795; rev:1;)
alert tcp $HOME_NET any -> [105.228.99.40] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203796; rev:1;)
alert tcp $HOME_NET any -> [83.217.11.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203797; rev:1;)
alert tcp $HOME_NET any -> [185.106.122.139] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203798; rev:1;)
alert tcp $HOME_NET any -> [187.199.114.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203799; rev:1;)
alert tcp $HOME_NET any -> [192.3.111.51] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203800; rev:1;)
alert tcp $HOME_NET any -> [83.220.174.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203801; rev:1;)
alert tcp $HOME_NET any -> [91.121.238.200] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203802; rev:1;)
alert tcp $HOME_NET any -> [149.154.71.223] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203803; rev:1;)
alert tcp $HOME_NET any -> [78.153.149.52] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203804; rev:1;)
alert tcp $HOME_NET any -> [198.20.239.21] 4453 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203805; rev:1;)
alert tcp $HOME_NET any -> [120.138.18.110] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203806; rev:1;)
alert tcp $HOME_NET any -> [46.101.10.156] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203807; rev:1;)
alert tcp $HOME_NET any -> [46.229.58.234] 443 (msg:"SSLBL: Traffic to malicious host (likely Redyms C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203808; rev:1;)
alert tcp $HOME_NET any -> [110.164.205.225] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203809; rev:1;)
alert tcp $HOME_NET any -> [182.72.222.14] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203810; rev:1;)
alert tcp $HOME_NET any -> [82.77.104.71] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203811; rev:1;)
alert tcp $HOME_NET any -> [178.149.68.20] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203812; rev:1;)
alert tcp $HOME_NET any -> [2.176.118.127] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203813; rev:1;)
alert tcp $HOME_NET any -> [23.94.93.109] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203814; rev:1;)
alert tcp $HOME_NET any -> [138.201.69.137] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203815; rev:1;)
alert tcp $HOME_NET any -> [89.108.76.212] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203816; rev:1;)
alert tcp $HOME_NET any -> [189.1.172.49] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203817; rev:1;)
alert tcp $HOME_NET any -> [190.123.45.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203818; rev:1;)
alert tcp $HOME_NET any -> [103.199.16.56] 443 (msg:"SSLBL: Traffic to malicious host (likely Shifu C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203819; rev:1;)
alert tcp $HOME_NET any -> [92.222.219.26] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203820; rev:1;)
alert tcp $HOME_NET any -> [37.48.106.49] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203821; rev:1;)
alert tcp $HOME_NET any -> [88.214.236.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203822; rev:1;)
alert tcp $HOME_NET any -> [91.244.19.186] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203823; rev:1;)
alert tcp $HOME_NET any -> [93.171.202.188] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203824; rev:1;)
alert tcp $HOME_NET any -> [188.120.248.28] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203825; rev:1;)
alert tcp $HOME_NET any -> [89.108.79.217] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203826; rev:1;)
alert tcp $HOME_NET any -> [212.8.245.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203827; rev:1;)
alert tcp $HOME_NET any -> [92.63.110.69] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203828; rev:1;)
alert tcp $HOME_NET any -> [82.146.36.87] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203829; rev:1;)
alert tcp $HOME_NET any -> [91.134.199.231] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203830; rev:1;)
alert tcp $HOME_NET any -> [193.9.28.24] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203831; rev:1;)
alert tcp $HOME_NET any -> [94.177.225.23] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203832; rev:1;)
alert tcp $HOME_NET any -> [96.9.244.115] 555 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203833; rev:1;)
alert tcp $HOME_NET any -> [5.39.47.12] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203834; rev:1;)
alert tcp $HOME_NET any -> [185.153.198.34] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203835; rev:1;)
alert tcp $HOME_NET any -> [194.1.236.149] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203836; rev:1;)
alert tcp $HOME_NET any -> [78.155.217.154] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203837; rev:1;)
alert tcp $HOME_NET any -> [91.220.131.174] 50007 (msg:"SSLBL: Traffic to malicious host (likely Send-Safe C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203838; rev:1;)
alert tcp $HOME_NET any -> [189.49.185.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203839; rev:1;)
alert tcp $HOME_NET any -> [185.40.152.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203840; rev:1;)
alert tcp $HOME_NET any -> [185.26.120.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203841; rev:1;)
alert tcp $HOME_NET any -> [31.184.233.105] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203842; rev:1;)
alert tcp $HOME_NET any -> [92.63.111.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203843; rev:1;)
alert tcp $HOME_NET any -> [52.77.110.77] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203844; rev:1;)
alert tcp $HOME_NET any -> [185.48.56.220] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203845; rev:1;)
alert tcp $HOME_NET any -> [46.38.52.233] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203846; rev:1;)
alert tcp $HOME_NET any -> [91.240.87.25] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203847; rev:1;)
alert tcp $HOME_NET any -> [195.123.209.94] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203848; rev:1;)
alert tcp $HOME_NET any -> [95.213.139.101] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203849; rev:1;)
alert tcp $HOME_NET any -> [85.143.209.126] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203850; rev:1;)
alert tcp $HOME_NET any -> [185.155.96.110] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203851; rev:1;)
alert tcp $HOME_NET any -> [185.118.166.73] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203852; rev:1;)
alert tcp $HOME_NET any -> [88.214.207.43] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203853; rev:1;)
alert tcp $HOME_NET any -> [79.110.251.102] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203854; rev:1;)
alert tcp $HOME_NET any -> [173.89.28.70] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203855; rev:1;)
alert tcp $HOME_NET any -> [91.221.37.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203856; rev:1;)
alert tcp $HOME_NET any -> [31.43.41.51] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203857; rev:1;)
alert tcp $HOME_NET any -> [37.48.106.50] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203858; rev:1;)
alert tcp $HOME_NET any -> [91.200.14.81] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203859; rev:1;)
alert tcp $HOME_NET any -> [212.116.113.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203860; rev:1;)
alert tcp $HOME_NET any -> [23.253.210.81] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203861; rev:1;)
alert tcp $HOME_NET any -> [185.15.208.195] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203862; rev:1;)
alert tcp $HOME_NET any -> [195.28.183.57] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203863; rev:1;)
alert tcp $HOME_NET any -> [85.17.82.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203864; rev:1;)
alert tcp $HOME_NET any -> [45.32.157.168] 443 (msg:"SSLBL: Traffic to malicious host (likely Chthonic C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203865; rev:1;)
alert tcp $HOME_NET any -> [132.248.49.100] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203866; rev:1;)
alert tcp $HOME_NET any -> [62.108.36.240] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203867; rev:1;)
alert tcp $HOME_NET any -> [148.251.46.169] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203868; rev:1;)
alert tcp $HOME_NET any -> [31.220.56.32] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203869; rev:1;)
alert tcp $HOME_NET any -> [92.222.251.251] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203870; rev:1;)
alert tcp $HOME_NET any -> [43.239.221.51] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203871; rev:1;)
alert tcp $HOME_NET any -> [62.75.195.117] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203872; rev:1;)
alert tcp $HOME_NET any -> [190.161.133.235] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203873; rev:1;)
alert tcp $HOME_NET any -> [188.246.91.173] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203874; rev:1;)
alert tcp $HOME_NET any -> [78.108.87.155] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203875; rev:1;)
alert tcp $HOME_NET any -> [61.252.138.115] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203876; rev:1;)
alert tcp $HOME_NET any -> [74.50.56.162] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203877; rev:1;)
alert tcp $HOME_NET any -> [185.82.216.58] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203878; rev:1;)
alert tcp $HOME_NET any -> [185.80.53.96] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203879; rev:1;)
alert tcp $HOME_NET any -> [151.237.6.68] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203880; rev:1;)
alert tcp $HOME_NET any -> [45.124.51.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203881; rev:1;)
alert tcp $HOME_NET any -> [51.255.157.186] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203882; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203883; rev:1;)
alert tcp $HOME_NET any -> [186.176.140.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203884; rev:1;)
alert tcp $HOME_NET any -> [24.217.71.115] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203885; rev:1;)
alert tcp $HOME_NET any -> [107.191.119.162] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203886; rev:1;)
alert tcp $HOME_NET any -> [81.177.13.242] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203887; rev:1;)
alert tcp $HOME_NET any -> [93.171.202.162] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203888; rev:1;)
alert tcp $HOME_NET any -> [137.74.199.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203889; rev:1;)
alert tcp $HOME_NET any -> [185.158.152.179] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203890; rev:1;)
alert tcp $HOME_NET any -> [204.145.94.123] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203891; rev:1;)
alert tcp $HOME_NET any -> [45.51.17.196] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203892; rev:1;)
alert tcp $HOME_NET any -> [185.117.75.53] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203893; rev:1;)
alert tcp $HOME_NET any -> [95.47.161.41] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203894; rev:1;)
alert tcp $HOME_NET any -> [198.101.12.57] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203895; rev:1;)
alert tcp $HOME_NET any -> [130.88.149.87] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203896; rev:1;)
alert tcp $HOME_NET any -> [50.57.75.172] 53443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203897; rev:1;)
alert tcp $HOME_NET any -> [178.250.244.23] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203898; rev:1;)
alert tcp $HOME_NET any -> [95.46.98.89] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203899; rev:1;)
alert tcp $HOME_NET any -> [192.157.241.136] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203900; rev:1;)
alert tcp $HOME_NET any -> [178.21.14.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203901; rev:1;)
alert tcp $HOME_NET any -> [148.251.222.143] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203902; rev:1;)
alert tcp $HOME_NET any -> [84.76.246.49] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203903; rev:1;)
alert tcp $HOME_NET any -> [91.227.18.22] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203904; rev:1;)
alert tcp $HOME_NET any -> [86.98.46.164] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203905; rev:1;)
alert tcp $HOME_NET any -> [37.46.128.233] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203906; rev:1;)
alert tcp $HOME_NET any -> [95.46.99.21] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203907; rev:1;)
alert tcp $HOME_NET any -> [66.85.27.108] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203908; rev:1;)
alert tcp $HOME_NET any -> [85.143.213.16] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203909; rev:1;)
alert tcp $HOME_NET any -> [109.104.92.167] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203910; rev:1;)
alert tcp $HOME_NET any -> [216.126.225.149] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203911; rev:1;)
alert tcp $HOME_NET any -> [185.26.120.36] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203912; rev:1;)
alert tcp $HOME_NET any -> [74.138.174.182] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203913; rev:1;)
alert tcp $HOME_NET any -> [176.15.44.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203914; rev:1;)
alert tcp $HOME_NET any -> [185.141.27.222] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203915; rev:1;)
alert tcp $HOME_NET any -> [77.20.137.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203916; rev:1;)
alert tcp $HOME_NET any -> [91.219.31.12] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203917; rev:1;)
alert tcp $HOME_NET any -> [200.52.135.131] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203918; rev:1;)
alert tcp $HOME_NET any -> [70.21.194.174] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203919; rev:1;)
alert tcp $HOME_NET any -> [95.46.99.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203920; rev:1;)
alert tcp $HOME_NET any -> [188.2.247.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203921; rev:1;)
alert tcp $HOME_NET any -> [120.150.250.109] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203922; rev:1;)
alert tcp $HOME_NET any -> [2.107.189.230] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203923; rev:1;)
alert tcp $HOME_NET any -> [120.114.184.49] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203924; rev:1;)
alert tcp $HOME_NET any -> [198.98.112.144] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203925; rev:1;)
alert tcp $HOME_NET any -> [180.183.141.122] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203926; rev:1;)
alert tcp $HOME_NET any -> [198.61.220.159] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203927; rev:1;)
alert tcp $HOME_NET any -> [37.221.210.196] 4434 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203928; rev:1;)
alert tcp $HOME_NET any -> [101.51.30.133] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203929; rev:1;)
alert tcp $HOME_NET any -> [75.134.205.120] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203930; rev:1;)
alert tcp $HOME_NET any -> [5.1.75.220] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203931; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.4] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203932; rev:1;)
alert tcp $HOME_NET any -> [85.214.207.16] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203933; rev:1;)
alert tcp $HOME_NET any -> [87.98.132.57] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203934; rev:1;)
alert tcp $HOME_NET any -> [210.172.213.117] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203935; rev:1;)
alert tcp $HOME_NET any -> [93.158.203.134] 443 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203936; rev:1;)
alert tcp $HOME_NET any -> [80.79.114.179] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203937; rev:1;)
alert tcp $HOME_NET any -> [24.181.57.181] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203938; rev:1;)
alert tcp $HOME_NET any -> [62.75.195.103] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203939; rev:1;)
alert tcp $HOME_NET any -> [146.185.254.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203940; rev:1;)
alert tcp $HOME_NET any -> [85.143.166.99] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203941; rev:1;)
alert tcp $HOME_NET any -> [91.235.129.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203942; rev:1;)
alert tcp $HOME_NET any -> [188.166.10.125] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203943; rev:1;)
alert tcp $HOME_NET any -> [207.58.163.118] 4434 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203944; rev:1;)
alert tcp $HOME_NET any -> [37.59.8.81] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203945; rev:1;)
alert tcp $HOME_NET any -> [2.107.220.42] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203946; rev:1;)
alert tcp $HOME_NET any -> [105.227.251.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203947; rev:1;)
alert tcp $HOME_NET any -> [200.54.180.101] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203948; rev:1;)
alert tcp $HOME_NET any -> [5.79.96.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203949; rev:1;)
alert tcp $HOME_NET any -> [60.162.195.203] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203950; rev:1;)
alert tcp $HOME_NET any -> [122.252.225.133] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203951; rev:1;)
alert tcp $HOME_NET any -> [93.189.40.175] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203952; rev:1;)
alert tcp $HOME_NET any -> [91.215.154.221] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203953; rev:1;)
alert tcp $HOME_NET any -> [185.22.65.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203954; rev:1;)
alert tcp $HOME_NET any -> [199.19.105.103] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203955; rev:1;)
alert tcp $HOME_NET any -> [104.131.35.60] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203956; rev:1;)
alert tcp $HOME_NET any -> [23.152.0.210] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203957; rev:1;)
alert tcp $HOME_NET any -> [185.46.8.214] 443 (msg:"SSLBL: Traffic to malicious host (likely Hancitor C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203958; rev:1;)
alert tcp $HOME_NET any -> [194.67.209.108] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203959; rev:1;)
alert tcp $HOME_NET any -> [217.29.58.167] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203960; rev:1;)
alert tcp $HOME_NET any -> [206.221.181.20] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203961; rev:1;)
alert tcp $HOME_NET any -> [86.105.18.173] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203962; rev:1;)
alert tcp $HOME_NET any -> [185.40.152.212] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203963; rev:1;)
alert tcp $HOME_NET any -> [188.120.243.11] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203964; rev:1;)
alert tcp $HOME_NET any -> [185.14.28.107] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203965; rev:1;)
alert tcp $HOME_NET any -> [37.230.115.205] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203966; rev:1;)
alert tcp $HOME_NET any -> [5.63.152.13] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203967; rev:1;)
alert tcp $HOME_NET any -> [109.120.169.94] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203968; rev:1;)
alert tcp $HOME_NET any -> [5.157.38.50] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203969; rev:1;)
alert tcp $HOME_NET any -> [80.42.164.216] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203970; rev:1;)
alert tcp $HOME_NET any -> [83.243.40.81] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203971; rev:1;)
alert tcp $HOME_NET any -> [91.203.5.144] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203972; rev:1;)
alert tcp $HOME_NET any -> [37.48.90.100] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203973; rev:1;)
alert tcp $HOME_NET any -> [81.177.26.146] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203974; rev:1;)
alert tcp $HOME_NET any -> [137.74.175.83] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203975; rev:1;)
alert tcp $HOME_NET any -> [202.7.59.171] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203976; rev:1;)
alert tcp $HOME_NET any -> [194.58.122.128] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203977; rev:1;)
alert tcp $HOME_NET any -> [77.246.149.85] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203978; rev:1;)
alert tcp $HOME_NET any -> [93.189.43.27] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203979; rev:1;)
alert tcp $HOME_NET any -> [91.92.198.228] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203980; rev:1;)
alert tcp $HOME_NET any -> [185.26.114.26] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203981; rev:1;)
alert tcp $HOME_NET any -> [205.186.154.79] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203982; rev:1;)
alert tcp $HOME_NET any -> [201.238.232.46] 3443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203983; rev:1;)
alert tcp $HOME_NET any -> [104.153.0.227] 18443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203984; rev:1;)
alert tcp $HOME_NET any -> [109.203.117.155] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203985; rev:1;)
alert tcp $HOME_NET any -> [165.246.35.197] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203986; rev:1;)
alert tcp $HOME_NET any -> [94.156.35.71] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203987; rev:1;)
alert tcp $HOME_NET any -> [41.231.53.156] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203988; rev:1;)
alert tcp $HOME_NET any -> [31.44.189.100] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203989; rev:1;)
alert tcp $HOME_NET any -> [185.93.185.5] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203990; rev:1;)
alert tcp $HOME_NET any -> [172.246.126.156] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203991; rev:1;)
alert tcp $HOME_NET any -> [217.125.140.215] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203992; rev:1;)
alert tcp $HOME_NET any -> [194.1.238.45] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203993; rev:1;)
alert tcp $HOME_NET any -> [164.132.221.157] 443 (msg:"SSLBL: Traffic to malicious host (likely Gozi C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203994; rev:1;)
alert tcp $HOME_NET any -> [185.106.120.104] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203995; rev:1;)
alert tcp $HOME_NET any -> [95.175.110.130] 443 (msg:"SSLBL: Traffic to malicious host (likely Downloader.Pony C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203996; rev:1;)
alert tcp $HOME_NET any -> [185.36.102.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Vawtrak C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203997; rev:1;)
alert tcp $HOME_NET any -> [86.105.18.30] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203998; rev:1;)
alert tcp $HOME_NET any -> [104.171.123.15] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905203999; rev:1;)
alert tcp $HOME_NET any -> [158.255.215.61] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204000; rev:1;)
alert tcp $HOME_NET any -> [23.249.164.126] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204001; rev:1;)
alert tcp $HOME_NET any -> [70.31.61.115] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204002; rev:1;)
alert tcp $HOME_NET any -> [70.30.105.231] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204003; rev:1;)
alert tcp $HOME_NET any -> [212.129.46.156] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204004; rev:1;)
alert tcp $HOME_NET any -> [23.110.85.211] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204005; rev:1;)
alert tcp $HOME_NET any -> [37.220.3.149] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204006; rev:1;)
alert tcp $HOME_NET any -> [188.209.52.101] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204007; rev:1;)
alert tcp $HOME_NET any -> [94.156.35.57] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204008; rev:1;)
alert tcp $HOME_NET any -> [62.76.184.225] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204009; rev:1;)
alert tcp $HOME_NET any -> [27.93.201.99] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204010; rev:1;)
alert tcp $HOME_NET any -> [115.90.71.164] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204011; rev:1;)
alert tcp $HOME_NET any -> [192.169.7.193] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204012; rev:1;)
alert tcp $HOME_NET any -> [91.219.28.77] 443 (msg:"SSLBL: Traffic to malicious host (likely TrickBot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204013; rev:1;)
alert tcp $HOME_NET any -> [202.143.148.163] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204014; rev:1;)
alert tcp $HOME_NET any -> [91.121.65.64] 41443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204015; rev:1;)
alert tcp $HOME_NET any -> [115.124.125.19] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204016; rev:1;)
alert tcp $HOME_NET any -> [66.147.107.178] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204017; rev:1;)
alert tcp $HOME_NET any -> [176.31.75.101] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204018; rev:1;)
alert tcp $HOME_NET any -> [78.47.158.131] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204019; rev:1;)
alert tcp $HOME_NET any -> [188.241.116.163] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204020; rev:1;)
alert tcp $HOME_NET any -> [31.200.247.82] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204021; rev:1;)
alert tcp $HOME_NET any -> [81.177.22.162] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204022; rev:1;)
alert tcp $HOME_NET any -> [185.141.27.159] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204023; rev:1;)
alert tcp $HOME_NET any -> [152.170.237.47] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204024; rev:1;)
alert tcp $HOME_NET any -> [5.79.96.37] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204025; rev:1;)
alert tcp $HOME_NET any -> [193.0.178.28] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204026; rev:1;)
alert tcp $HOME_NET any -> [108.21.203.155] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204027; rev:1;)
alert tcp $HOME_NET any -> [107.181.19.88] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204028; rev:1;)
alert tcp $HOME_NET any -> [112.20.178.110] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204029; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.112] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204030; rev:1;)
alert tcp $HOME_NET any -> [212.231.129.194] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204031; rev:1;)
alert tcp $HOME_NET any -> [117.169.20.208] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204032; rev:1;)
alert tcp $HOME_NET any -> [5.1.80.127] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204033; rev:1;)
alert tcp $HOME_NET any -> [70.32.97.158] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204034; rev:1;)
alert tcp $HOME_NET any -> [23.229.54.99] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204035; rev:1;)
alert tcp $HOME_NET any -> [51.255.69.127] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204036; rev:1;)
alert tcp $HOME_NET any -> [95.183.51.24] 443 (msg:"SSLBL: Traffic to malicious host (likely AKBuilder C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204037; rev:1;)
alert tcp $HOME_NET any -> [212.47.223.189] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204038; rev:1;)
alert tcp $HOME_NET any -> [46.105.151.247] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204039; rev:1;)
alert tcp $HOME_NET any -> [77.42.157.2] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204040; rev:1;)
alert tcp $HOME_NET any -> [24.239.157.31] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204041; rev:1;)
alert tcp $HOME_NET any -> [66.50.43.163] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204042; rev:1;)
alert tcp $HOME_NET any -> [141.10.91.35] 443 (msg:"SSLBL: Traffic to malicious host (likely Ransomware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204043; rev:1;)
alert tcp $HOME_NET any -> [194.31.59.40] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204044; rev:1;)
alert tcp $HOME_NET any -> [113.162.5.179] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204045; rev:1;)
alert tcp $HOME_NET any -> [164.132.15.78] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204046; rev:1;)
alert tcp $HOME_NET any -> [59.144.17.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204047; rev:1;)
alert tcp $HOME_NET any -> [5.64.243.30] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204048; rev:1;)
alert tcp $HOME_NET any -> [184.75.209.98] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204049; rev:1;)
alert tcp $HOME_NET any -> [92.63.100.227] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204050; rev:1;)
alert tcp $HOME_NET any -> [62.76.103.206] 443 (msg:"SSLBL: Traffic to malicious host (likely FindPOS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204051; rev:1;)
alert tcp $HOME_NET any -> [216.59.21.40] 41443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204052; rev:1;)
alert tcp $HOME_NET any -> [45.40.142.185] 2443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204053; rev:1;)
alert tcp $HOME_NET any -> [78.47.93.16] 13443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204054; rev:1;)
alert tcp $HOME_NET any -> [194.67.201.123] 443 (msg:"SSLBL: Traffic to malicious host (likely H1N1 C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204055; rev:1;)
alert tcp $HOME_NET any -> [65.23.222.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204056; rev:1;)
alert tcp $HOME_NET any -> [89.33.246.92] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204057; rev:1;)
alert tcp $HOME_NET any -> [190.14.38.157] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204058; rev:1;)
alert tcp $HOME_NET any -> [188.225.39.2] 443 (msg:"SSLBL: Traffic to malicious host (likely RockLoader C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204059; rev:1;)
alert tcp $HOME_NET any -> [188.138.69.102] 443 (msg:"SSLBL: Traffic to malicious host (likely Qadars C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204060; rev:1;)
alert tcp $HOME_NET any -> [172.245.57.174] 2448 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204061; rev:1;)
alert tcp $HOME_NET any -> [119.59.124.163] 40443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204062; rev:1;)
alert tcp $HOME_NET any -> [24.172.94.180] 4113 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204063; rev:1;)
alert tcp $HOME_NET any -> [191.101.22.50] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204064; rev:1;)
alert tcp $HOME_NET any -> [115.76.170.211] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204065; rev:1;)
alert tcp $HOME_NET any -> [24.88.123.190] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204066; rev:1;)
alert tcp $HOME_NET any -> [68.101.225.113] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204067; rev:1;)
alert tcp $HOME_NET any -> [107.170.132.24] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204068; rev:1;)
alert tcp $HOME_NET any -> [172.91.160.50] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204069; rev:1;)
alert tcp $HOME_NET any -> [176.56.236.91] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204070; rev:1;)
alert tcp $HOME_NET any -> [112.217.178.26] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204071; rev:1;)
alert tcp $HOME_NET any -> [52.67.39.104] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204072; rev:1;)
alert tcp $HOME_NET any -> [58.187.217.3] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204073; rev:1;)
alert tcp $HOME_NET any -> [50.109.232.44] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204074; rev:1;)
alert tcp $HOME_NET any -> [67.10.229.104] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204075; rev:1;)
alert tcp $HOME_NET any -> [90.125.147.234] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204076; rev:1;)
alert tcp $HOME_NET any -> [70.31.32.129] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204077; rev:1;)
alert tcp $HOME_NET any -> [85.25.177.206] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204078; rev:1;)
alert tcp $HOME_NET any -> [149.62.173.22] 12443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204079; rev:1;)
alert tcp $HOME_NET any -> [199.193.6.102] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204080; rev:1;)
alert tcp $HOME_NET any -> [217.162.92.99] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204081; rev:1;)
alert tcp $HOME_NET any -> [120.145.53.93] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204082; rev:1;)
alert tcp $HOME_NET any -> [176.126.68.81] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204083; rev:1;)
alert tcp $HOME_NET any -> [140.113.214.68] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204084; rev:1;)
alert tcp $HOME_NET any -> [134.255.221.192] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204085; rev:1;)
alert tcp $HOME_NET any -> [23.234.26.210] 5658 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204086; rev:1;)
alert tcp $HOME_NET any -> [93.170.253.84] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204087; rev:1;)
alert tcp $HOME_NET any -> [113.186.80.2] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204088; rev:1;)
alert tcp $HOME_NET any -> [203.162.81.247] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204089; rev:1;)
alert tcp $HOME_NET any -> [68.191.126.222] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204090; rev:1;)
alert tcp $HOME_NET any -> [173.61.183.100] 2222 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204091; rev:1;)
alert tcp $HOME_NET any -> [93.115.10.203] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204092; rev:1;)
alert tcp $HOME_NET any -> [75.136.11.219] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204093; rev:1;)
alert tcp $HOME_NET any -> [5.39.34.152] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204094; rev:1;)
alert tcp $HOME_NET any -> [77.246.159.80] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204095; rev:1;)
alert tcp $HOME_NET any -> [115.76.205.33] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204096; rev:1;)
alert tcp $HOME_NET any -> [185.45.192.106] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204097; rev:1;)
alert tcp $HOME_NET any -> [80.87.197.48] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204098; rev:1;)
alert tcp $HOME_NET any -> [195.154.47.69] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204099; rev:1;)
alert tcp $HOME_NET any -> [212.92.97.33] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentLocker C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204100; rev:1;)
alert tcp $HOME_NET any -> [105.224.196.209] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204101; rev:1;)
alert tcp $HOME_NET any -> [107.172.41.79] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204102; rev:1;)
alert tcp $HOME_NET any -> [115.115.192.245] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204103; rev:1;)
alert tcp $HOME_NET any -> [85.204.49.106] 443 (msg:"SSLBL: Traffic to malicious host (likely ZeuS C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204104; rev:1;)
alert tcp $HOME_NET any -> [185.109.144.15] 443 (msg:"SSLBL: Traffic to malicious host (likely Malware C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204105; rev:1;)
alert tcp $HOME_NET any -> [80.82.79.95] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204106; rev:1;)
alert tcp $HOME_NET any -> [193.238.59.90] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204107; rev:1;)
alert tcp $HOME_NET any -> [89.43.60.122] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204108; rev:1;)
alert tcp $HOME_NET any -> [78.46.160.67] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204109; rev:1;)
alert tcp $HOME_NET any -> [171.4.58.50] 995 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204110; rev:1;)
alert tcp $HOME_NET any -> [112.166.103.245] 443 (msg:"SSLBL: Traffic to malicious host (likely Quakbot C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204111; rev:1;)
alert tcp $HOME_NET any -> [91.215.154.178] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204112; rev:1;)
alert tcp $HOME_NET any -> [180.189.206.17] 443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204113; rev:1;)
alert tcp $HOME_NET any -> [50.62.40.241] 11443 (msg:"SSLBL: Traffic to malicious host (likely Dridex C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204114; rev:1;)
alert tcp $HOME_NET any -> [95.215.46.163] 80 (msg:"SSLBL: Traffic to malicious host (likely Gootkit C&C traffic)"; flow:established,to_server; threshold: type limit, track by_src, seconds 60, count 1; classtype:trojan-activity; sid:905204115; rev:1;)
alert tcp $HOME_NET any -> [109.234.36.75] 443 (msg:"SSLBL: Traffic to malicious host (likely TorrentL