drop tcp any any -> $HOME_NET 22 ( msg:"SSH Debian server banner detected - ABC"; flow:established,to_client; content:"SSH-2.0"; depth:7; content:"Debian"; sid:9000001; rev:1; )
drop tcp any any -> $HOME_NET 22 ( msg:"SSH-1.x Debian server banner detected - ABC"; flow:established,to_client; content:"SSH-1."; depth:6; content:"Debian"; sid:9000002; rev:1; )
alert http any any -> any 80 ( msg:"HTTP request to ialab.dsu.edu - ABC"; flow:established,to_server; http.host; content:"ialab.dsu.edu"; startswith; endswith; flowbits:set,http.ialab; flowbits:noalert; sid:9000003; rev:1; )
alert http any 80 -> any any ( msg:"HTTP non-200 response from ialab.dsu.edu - ABC"; flow:established,to_client; flowbits:isset,http.ialab; http.stat_code; content:"200"; negate; sid:9000004; rev:1; )
alert dns any any -> any 53 ( msg:"DNS query for beacom.xyz subdomain - ABC"; flow:to_server; dns.query; content:"beacom.xyz"; endswith; flowbits:set,dns.beacom; flowbits:noalert; sid:9000005; rev:1; )
drop dns any 53 -> any any ( msg:"DNS reply with blocked IP 138.247.115.202 for beacom.xyz - ABC"; flow:to_client; flowbits:isset,dns.beacom; dns.answer.rdata; content:"|8a f7 73 ca|"; sid:9000006; rev:1; )
alert tcp any any -> any 21 ( msg:"FTP USER command seen - ABC"; flow:established,to_server; content:"USER "; depth:5; startswith; flowbits:set,ftp.user_seen; flowbits:noalert; sid:9000007; rev:1; )
alert tcp any 21 -> any any ( msg:"FTP login failure after USER command - ABC"; flow:established,to_client; flowbits:isset,ftp.user_seen; content:"530 "; depth:4; startswith; sid:9000008; rev:1; )