This repository has been archived by the owner on Nov 19, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathmonero-snort.rules
180 lines (180 loc) · 24.4 KB
/
monero-snort.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cloudflare.hashfor.cash"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|cloudflare|07|hashfor|04|cash"; nocase; distance:0; sid:9000000; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cryptoescrow.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|cryptoescrow|02|eu"; nocase; distance:0; sid:9000001; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for cryptonotepool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0e|cryptonotepool|03|org"; nocase; distance:0; sid:9000002; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for fcn-mro.pool.minergate.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|fcn-mro|04|pool|09|minergate|03|com"; nocase; distance:0; sid:9000003; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for hash-to-coins.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0d|hash-to-coins|03|com"; nocase; distance:0; sid:9000004; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for kippo.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|05|kippo|02|eu"; nocase; distance:0; sid:9000005; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for linux-repository-updates.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|18|linux-repository-updates|03|com"; nocase; distance:0; sid:9000006; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for litecoinpool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|litecoinpool|03|org"; nocase; distance:0; sid:9000007; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.moneropool.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|0a|moneropool|03|com"; nocase; distance:0; sid:9000008; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.sumo.fairpool.cloud"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|04|sumo|08|fairpool|05|cloud"; nocase; distance:0; sid:9000009; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monero.crypto-pool.fr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|monero|0b|crypto-pool|02|fr"; nocase; distance:0; sid:9000010; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monero.farm"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|monero|04|farm"; nocase; distance:0; sid:9000011; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monerohash.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|monerohash|03|com"; nocase; distance:0; sid:9000012; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for monerominers.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0c|monerominers|03|net"; nocase; distance:0; sid:9000013; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mro.extrmepool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|mro|0a|extrmepool|03|org"; nocase; distance:0; sid:9000014; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mro.poolto.be"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|mro|06|poolto|02|be"; nocase; distance:0; sid:9000015; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool.minexmr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|pool|07|minexmr|03|com"; nocase; distance:0; sid:9000016; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-nyc.supportxmr.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|pool-nyc|0a|supportxmr|03|com"; nocase; distance:0; sid:9000017; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-proxy.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|pool-proxy|03|com"; nocase; distance:0; sid:9000018; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool.sumokoin.hashvault.pro"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|pool|08|sumokoin|09|hashvault|03|pro"; nocase; distance:0; sid:9000019; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for pool-vegas.xmrpool.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|0a|pool-vegas|07|xmrpool|03|net"; nocase; distance:0; sid:9000020; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for webcoin.me"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|webcoin|02|me"; nocase; distance:0; sid:9000021; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xcnpool2.1gh.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|xcnpool2|03|1gh|03|com"; nocase; distance:0; sid:9000022; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xdn.miner.center"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xdn|05|miner|06|center"; nocase; distance:0; sid:9000023; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.crypto-pool.fr"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|0b|crypto-pool|02|fr"; nocase; distance:0; sid:9000024; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu1.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmr-eu1|08|nanopool|03|org"; nocase; distance:0; sid:9000025; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu2.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmr-eu2|08|nanopool|03|org"; nocase; distance:0; sid:9000026; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu.dwarfpool.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|xmr-eu|09|dwarfpool|03|com"; nocase; distance:0; sid:9000027; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr-eu.nanopool.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|06|xmr-eu|08|nanopool|03|org"; nocase; distance:0; sid:9000028; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.hashinvest.ws"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|0a|hashinvest|02|ws"; nocase; distance:0; sid:9000029; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmrpool.eu"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|07|xmrpool|02|eu"; nocase; distance:0; sid:9000030; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.pool.minergate.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|04|pool|09|minergate|03|com"; nocase; distance:0; sid:9000031; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for xmr.prohash.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|03|xmr|07|prohash|03|net"; nocase; distance:0; sid:9000032; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for yescrypt.mine.zpool.ca"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|08|yescrypt|04|mine|05|zpool|02|ca"; nocase; distance:0; sid:9000033; rev:0;)
alert ip any any <> 163.172.204.219 any (msg:"Traffic to known Monero Miner IP (163.172.204.219)"; sid:9000034; rev:0;)
alert ip any any <> 163.172.207.69 any (msg:"Traffic to known Monero Miner IP (163.172.207.69)"; sid:9000035; rev:0;)
alert ip any any <> 163.172.226.120 any (msg:"Traffic to known Monero Miner IP (163.172.226.120)"; sid:9000036; rev:0;)
alert ip any any <> 163.172.204.213 any (msg:"Traffic to known Monero Miner IP (163.172.204.213)"; sid:9000037; rev:0;)
alert ip any any <> 163.172.226.131 any (msg:"Traffic to known Monero Miner IP (163.172.226.131)"; sid:9000038; rev:0;)
alert ip any any <> 163.172.207.198 any (msg:"Traffic to known Monero Miner IP (163.172.207.198)"; sid:9000039; rev:0;)
alert ip any any <> 163.172.207.71 any (msg:"Traffic to known Monero Miner IP (163.172.207.71)"; sid:9000040; rev:0;)
alert ip any any <> 163.172.226.137 any (msg:"Traffic to known Monero Miner IP (163.172.226.137)"; sid:9000041; rev:0;)
alert ip any any <> 213.32.74.219 any (msg:"Traffic to known Monero Miner IP (213.32.74.219)"; sid:9000042; rev:0;)
alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000043; rev:0;)
alert ip any any <> 79.137.82.104 any (msg:"Traffic to known Monero Miner IP (79.137.82.104)"; sid:9000044; rev:0;)
alert ip any any <> 207.154.213.72 any (msg:"Traffic to known Monero Miner IP (207.154.213.72)"; sid:9000045; rev:0;)
alert ip any any <> 213.32.29.143 any (msg:"Traffic to known Monero Miner IP (213.32.29.143)"; sid:9000046; rev:0;)
alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000047; rev:0;)
alert ip any any <> 207.154.194.32 any (msg:"Traffic to known Monero Miner IP (207.154.194.32)"; sid:9000048; rev:0;)
alert ip any any <> 213.32.29.168 any (msg:"Traffic to known Monero Miner IP (213.32.29.168)"; sid:9000049; rev:0;)
alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000050; rev:0;)
alert ip any any <> 164.132.109.110 any (msg:"Traffic to known Monero Miner IP (164.132.109.110)"; sid:9000051; rev:0;)
alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000052; rev:0;)
alert ip any any <> 198.251.88.21 any (msg:"Traffic to known Monero Miner IP (198.251.88.21)"; sid:9000053; rev:0;)
alert ip any any <> 138.197.183.116 any (msg:"Traffic to known Monero Miner IP (138.197.183.116)"; sid:9000054; rev:0;)
alert ip any any <> 79.137.82.5 any (msg:"Traffic to known Monero Miner IP (79.137.82.5)"; sid:9000055; rev:0;)
alert ip any any <> 198.251.88.14 any (msg:"Traffic to known Monero Miner IP (198.251.88.14)"; sid:9000056; rev:0;)
alert ip any any <> 79.137.82.70 any (msg:"Traffic to known Monero Miner IP (79.137.82.70)"; sid:9000057; rev:0;)
alert ip any any <> 213.32.74.230 any (msg:"Traffic to known Monero Miner IP (213.32.74.230)"; sid:9000058; rev:0;)
alert ip any any <> 213.32.29.150 any (msg:"Traffic to known Monero Miner IP (213.32.29.150)"; sid:9000059; rev:0;)
alert ip any any <> 159.89.11.225 any (msg:"Traffic to known Monero Miner IP (159.89.11.225)"; sid:9000060; rev:0;)
alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000061; rev:0;)
alert ip any any <> 164.132.108.171 any (msg:"Traffic to known Monero Miner IP (164.132.108.171)"; sid:9000062; rev:0;)
alert ip any any <> 213.32.74.157 any (msg:"Traffic to known Monero Miner IP (213.32.74.157)"; sid:9000063; rev:0;)
alert ip any any <> 207.154.226.213 any (msg:"Traffic to known Monero Miner IP (207.154.226.213)"; sid:9000064; rev:0;)
alert ip any any <> 149.56.122.79 any (msg:"Traffic to known Monero Miner IP (149.56.122.79)"; sid:9000065; rev:0;)
alert ip any any <> 188.165.199.78 any (msg:"Traffic to known Monero Miner IP (188.165.199.78)"; sid:9000066; rev:0;)
alert ip any any <> 37.187.154.79 any (msg:"Traffic to known Monero Miner IP (37.187.154.79)"; sid:9000067; rev:0;)
alert ip any any <> 37.59.43.131 any (msg:"Traffic to known Monero Miner IP (37.59.43.131)"; sid:9000068; rev:0;)
alert ip any any <> 78.46.91.171 any (msg:"Traffic to known Monero Miner IP (78.46.91.171)"; sid:9000069; rev:0;)
alert ip any any <> 176.31.117.82 any (msg:"Traffic to known Monero Miner IP (176.31.117.82)"; sid:9000070; rev:0;)
alert ip any any <> 37.59.45.174 any (msg:"Traffic to known Monero Miner IP (37.59.45.174)"; sid:9000071; rev:0;)
alert ip any any <> 94.23.212.204 any (msg:"Traffic to known Monero Miner IP (94.23.212.204)"; sid:9000072; rev:0;)
alert ip any any <> 94.23.41.130 any (msg:"Traffic to known Monero Miner IP (94.23.41.130)"; sid:9000073; rev:0;)
alert ip any any <> 37.59.44.193 any (msg:"Traffic to known Monero Miner IP (37.59.44.193)"; sid:9000074; rev:0;)
alert ip any any <> 188.165.254.85 any (msg:"Traffic to known Monero Miner IP (188.165.254.85)"; sid:9000075; rev:0;)
alert ip any any <> 94.130.164.60 any (msg:"Traffic to known Monero Miner IP (94.130.164.60)"; sid:9000076; rev:0;)
alert ip any any <> 46.105.103.169 any (msg:"Traffic to known Monero Miner IP (46.105.103.169)"; sid:9000077; rev:0;)
alert ip any any <> 94.23.206.130 any (msg:"Traffic to known Monero Miner IP (94.23.206.130)"; sid:9000078; rev:0;)
alert ip any any <> 37.59.55.60 any (msg:"Traffic to known Monero Miner IP (37.59.55.60)"; sid:9000079; rev:0;)
alert ip any any <> 78.46.89.102 any (msg:"Traffic to known Monero Miner IP (78.46.89.102)"; sid:9000080; rev:0;)
alert ip any any <> 188.165.214.76 any (msg:"Traffic to known Monero Miner IP (188.165.214.76)"; sid:9000081; rev:0;)
alert ip any any <> 78.46.91.134 any (msg:"Traffic to known Monero Miner IP (78.46.91.134)"; sid:9000082; rev:0;)
alert ip any any <> 91.121.87.10 any (msg:"Traffic to known Monero Miner IP (91.121.87.10)"; sid:9000083; rev:0;)
alert ip any any <> 37.59.54.205 any (msg:"Traffic to known Monero Miner IP (37.59.54.205)"; sid:9000084; rev:0;)
alert ip any any <> 178.63.48.196 any (msg:"Traffic to known Monero Miner IP (178.63.48.196)"; sid:9000085; rev:0;)
alert ip any any <> 198.251.81.82 any (msg:"Traffic to known Monero Miner IP (198.251.81.82)"; sid:9000086; rev:0;)
alert ip any any <> 107.191.99.227 any (msg:"Traffic to known Monero Miner IP (107.191.99.227)"; sid:9000087; rev:0;)
alert ip any any <> 138.201.31.12 any (msg:"Traffic to known Monero Miner IP (138.201.31.12)"; sid:9000088; rev:0;)
alert ip any any <> 138.201.31.13 any (msg:"Traffic to known Monero Miner IP (138.201.31.13)"; sid:9000089; rev:0;)
alert ip any any <> 138.201.31.14 any (msg:"Traffic to known Monero Miner IP (138.201.31.14)"; sid:9000090; rev:0;)
alert ip any any <> 178.63.62.94 any (msg:"Traffic to known Monero Miner IP (178.63.62.94)"; sid:9000091; rev:0;)
alert ip any any <> 138.201.206.47 any (msg:"Traffic to known Monero Miner IP (138.201.206.47)"; sid:9000092; rev:0;)
alert ip any any <> 178.21.23.4 any (msg:"Traffic to known Monero Miner IP (178.21.23.4)"; sid:9000093; rev:0;)
alert ip any any <> 212.83.158.14 any (msg:"Traffic to known Monero Miner IP (212.83.158.14)"; sid:9000094; rev:0;)
alert ip any any <> 72.52.179.175 any (msg:"Traffic to known Monero Miner IP (72.52.179.175)"; sid:9000095; rev:0;)
alert ip any any <> 54.72.9.51 any (msg:"Traffic to known Monero Miner IP (54.72.9.51)"; sid:9000096; rev:0;)
alert ip any any <> 176.9.147.178 any (msg:"Traffic to known Monero Miner IP (176.9.147.178)"; sid:9000097; rev:0;)
alert ip any any <> 176.9.47.243 any (msg:"Traffic to known Monero Miner IP (176.9.47.243)"; sid:9000098; rev:0;)
alert ip any any <> 109.201.135.43 any (msg:"Traffic to known Monero Miner IP (109.201.135.43)"; sid:9000099; rev:0;)
alert ip any any <> 178.21.23.4 any (msg:"Traffic to known Monero Miner IP (178.21.23.4)"; sid:9000100; rev:0;)
alert ip any any <> 45.63.37.176 any (msg:"Traffic to known Monero Miner IP (45.63.37.176)"; sid:9000101; rev:0;)
alert ip any any <> 54.72.9.51 any (msg:"Traffic to known Monero Miner IP (54.72.9.51)"; sid:9000102; rev:0;)
alert ip any any <> 51.255.163.106 any (msg:"Traffic to known Monero Miner IP (51.255.163.106)"; sid:9000103; rev:0;)
alert ip any any <> 72.52.179.175 any (msg:"Traffic to known Monero Miner IP (72.52.179.175)"; sid:9000104; rev:0;)
alert ip any any <> 64.70.19.203 any (msg:"Traffic to known Monero Miner IP (64.70.19.203)"; sid:9000105; rev:0;)
alert ip any any <> 192.64.119.154 any (msg:"Traffic to known Monero Miner IP (192.64.119.154)"; sid:9000106; rev:0;)
alert ip any any <> 104.140.201.42 any (msg:"Traffic to known Monero Miner IP (104.140.201.42)"; sid:9000107; rev:0;)
alert ip any any <> 104.140.244.186 any (msg:"Traffic to known Monero Miner IP (104.140.244.186)"; sid:9000108; rev:0;)
alert ip any any <> 104.140.201.58 any (msg:"Traffic to known Monero Miner IP (104.140.201.58)"; sid:9000109; rev:0;)
alert ip any any <> 217.182.65.224 any (msg:"Traffic to known Monero Miner IP (217.182.65.224)"; sid:9000110; rev:0;)
alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000111; rev:0;)
alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000112; rev:0;)
alert ip any any <> 79.137.82.104 any (msg:"Traffic to known Monero Miner IP (79.137.82.104)"; sid:9000113; rev:0;)
alert ip any any <> 217.182.169.148 any (msg:"Traffic to known Monero Miner IP (217.182.169.148)"; sid:9000114; rev:0;)
alert ip any any <> 213.32.74.230 any (msg:"Traffic to known Monero Miner IP (213.32.74.230)"; sid:9000115; rev:0;)
alert ip any any <> 149.202.57.197 any (msg:"Traffic to known Monero Miner IP (149.202.57.197)"; sid:9000116; rev:0;)
alert ip any any <> 79.137.82.5 any (msg:"Traffic to known Monero Miner IP (79.137.82.5)"; sid:9000117; rev:0;)
alert ip any any <> 164.132.109.110 any (msg:"Traffic to known Monero Miner IP (164.132.109.110)"; sid:9000118; rev:0;)
alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000119; rev:0;)
alert ip any any <> 151.80.59.84 any (msg:"Traffic to known Monero Miner IP (151.80.59.84)"; sid:9000120; rev:0;)
alert ip any any <> 217.182.66.25 any (msg:"Traffic to known Monero Miner IP (217.182.66.25)"; sid:9000121; rev:0;)
alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000122; rev:0;)
alert ip any any <> 213.32.29.168 any (msg:"Traffic to known Monero Miner IP (213.32.29.168)"; sid:9000123; rev:0;)
alert ip any any <> 213.32.29.150 any (msg:"Traffic to known Monero Miner IP (213.32.29.150)"; sid:9000124; rev:0;)
alert ip any any <> 213.32.74.219 any (msg:"Traffic to known Monero Miner IP (213.32.74.219)"; sid:9000125; rev:0;)
alert ip any any <> 79.137.82.70 any (msg:"Traffic to known Monero Miner IP (79.137.82.70)"; sid:9000126; rev:0;)
alert ip any any <> 213.32.29.143 any (msg:"Traffic to known Monero Miner IP (213.32.29.143)"; sid:9000127; rev:0;)
alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000128; rev:0;)
alert ip any any <> 198.251.88.21 any (msg:"Traffic to known Monero Miner IP (198.251.88.21)"; sid:9000129; rev:0;)
alert ip any any <> 198.251.88.14 any (msg:"Traffic to known Monero Miner IP (198.251.88.14)"; sid:9000130; rev:0;)
alert ip any any <> 213.32.74.157 any (msg:"Traffic to known Monero Miner IP (213.32.74.157)"; sid:9000131; rev:0;)
alert ip any any <> 164.132.108.171 any (msg:"Traffic to known Monero Miner IP (164.132.108.171)"; sid:9000132; rev:0;)
alert ip any any <> 136.243.102.157 any (msg:"Traffic to known Monero Miner IP (136.243.102.157)"; sid:9000133; rev:0;)
alert ip any any <> 94.130.64.225 any (msg:"Traffic to known Monero Miner IP (94.130.64.225)"; sid:9000134; rev:0;)
alert ip any any <> 94.130.48.154 any (msg:"Traffic to known Monero Miner IP (94.130.48.154)"; sid:9000135; rev:0;)
alert ip any any <> 136.243.94.27 any (msg:"Traffic to known Monero Miner IP (136.243.94.27)"; sid:9000136; rev:0;)
alert ip any any <> 78.46.23.253 any (msg:"Traffic to known Monero Miner IP (78.46.23.253)"; sid:9000137; rev:0;)
alert ip any any <> 176.9.0.89 any (msg:"Traffic to known Monero Miner IP (176.9.0.89)"; sid:9000138; rev:0;)
alert ip any any <> 46.4.120.155 any (msg:"Traffic to known Monero Miner IP (46.4.120.155)"; sid:9000139; rev:0;)
alert ip any any <> 136.243.88.145 any (msg:"Traffic to known Monero Miner IP (136.243.88.145)"; sid:9000140; rev:0;)
alert ip any any <> 176.9.47.243 any (msg:"Traffic to known Monero Miner IP (176.9.47.243)"; sid:9000141; rev:0;)
alert ip any any <> 176.9.147.178 any (msg:"Traffic to known Monero Miner IP (176.9.147.178)"; sid:9000142; rev:0;)
alert ip any any <> 94.130.9.194 any (msg:"Traffic to known Monero Miner IP (94.130.9.194)"; sid:9000143; rev:0;)
alert ip any any <> 94.23.251.22 any (msg:"Traffic to known Monero Miner IP (94.23.251.22)"; sid:9000144; rev:0;)
alert ip any any <> 176.31.105.53 any (msg:"Traffic to known Monero Miner IP (176.31.105.53)"; sid:9000145; rev:0;)
alert ip any any <> 146.0.77.83 any (msg:"Traffic to known Monero Miner IP (146.0.77.83)"; sid:9000146; rev:0;)
alert ip any any <> 192.99.14.195 any (msg:"Traffic to known Monero Miner IP (192.99.14.195)"; sid:9000147; rev:0;)
alert ip any any <> 79.137.57.106 any (msg:"Traffic to known Monero Miner IP (79.137.57.106)"; sid:9000148; rev:0;)
alert ip any any <> 178.32.145.31 any (msg:"Traffic to known Monero Miner IP (178.32.145.31)"; sid:9000149; rev:0;)
alert ip any any <> 178.32.196.217 any (msg:"Traffic to known Monero Miner IP (178.32.196.217)"; sid:9000150; rev:0;)
alert ip any any <> 88.99.68.228 any (msg:"Traffic to known Monero Miner IP (88.99.68.228)"; sid:9000151; rev:0;)
alert ip any any <> 217.182.169.148 any (msg:"Traffic to known Monero Miner IP (217.182.169.148)"; sid:9000152; rev:0;)
alert ip any any <> 51.255.34.118 any (msg:"Traffic to known Monero Miner IP (51.255.34.118)"; sid:9000153; rev:0;)
alert ip any any <> 5.196.26.96 any (msg:"Traffic to known Monero Miner IP (5.196.26.96)"; sid:9000154; rev:0;)
alert ip any any <> 92.222.10.59 any (msg:"Traffic to known Monero Miner IP (92.222.10.59)"; sid:9000155; rev:0;)
alert ip any any <> 151.80.59.84 any (msg:"Traffic to known Monero Miner IP (151.80.59.84)"; sid:9000156; rev:0;)
alert ip any any <> 92.222.180.118 any (msg:"Traffic to known Monero Miner IP (92.222.180.118)"; sid:9000157; rev:0;)
alert ip any any <> 92.222.72.197 any (msg:"Traffic to known Monero Miner IP (92.222.72.197)"; sid:9000158; rev:0;)
alert ip any any <> 51.255.34.79 any (msg:"Traffic to known Monero Miner IP (51.255.34.79)"; sid:9000159; rev:0;)
alert ip any any <> 51.255.34.80 any (msg:"Traffic to known Monero Miner IP (51.255.34.80)"; sid:9000160; rev:0;)
alert ip any any <> 5.196.23.240 any (msg:"Traffic to known Monero Miner IP (5.196.23.240)"; sid:9000161; rev:0;)
alert ip any any <> 151.80.144.188 any (msg:"Traffic to known Monero Miner IP (151.80.144.188)"; sid:9000162; rev:0;)
alert ip any any <> 151.80.144.253 any (msg:"Traffic to known Monero Miner IP (151.80.144.253)"; sid:9000163; rev:0;)
alert ip any any <> 198.251.88.16 any (msg:"Traffic to known Monero Miner IP (198.251.88.16)"; sid:9000164; rev:0;)
alert ip any any <> 149.202.42.174 any (msg:"Traffic to known Monero Miner IP (149.202.42.174)"; sid:9000165; rev:0;)
alert ip any any <> 5.196.13.29 any (msg:"Traffic to known Monero Miner IP (5.196.13.29)"; sid:9000166; rev:0;)
alert ip any any <> 217.182.66.25 any (msg:"Traffic to known Monero Miner IP (217.182.66.25)"; sid:9000167; rev:0;)
alert ip any any <> 92.222.180.119 any (msg:"Traffic to known Monero Miner IP (92.222.180.119)"; sid:9000168; rev:0;)
alert ip any any <> 217.182.65.224 any (msg:"Traffic to known Monero Miner IP (217.182.65.224)"; sid:9000169; rev:0;)
alert ip any any <> 149.202.57.197 any (msg:"Traffic to known Monero Miner IP (149.202.57.197)"; sid:9000170; rev:0;)
alert ip any any <> 149.202.43.126 any (msg:"Traffic to known Monero Miner IP (149.202.43.126)"; sid:9000171; rev:0;)
alert ip any any <> 199.231.85.124 any (msg:"Traffic to known Monero Miner IP (199.231.85.124)"; sid:9000172; rev:0;)
alert ip any any <> 162.213.38.63 any (msg:"Traffic to known Monero Miner IP (162.213.38.63)"; sid:9000173; rev:0;)
alert ip any any <> 45.76.23.212 any (msg:"Traffic to known Monero Miner IP (45.76.23.212)"; sid:9000174; rev:0;)
alert ip any any <> 5.196.42.127 any (msg:"Traffic to known Monero Miner IP (5.196.42.127)"; sid:9000175; rev:0;)
alert ip any any <> 51.254.238.27 any (msg:"Traffic to known Monero Miner IP (51.254.238.27)"; sid:9000176; rev:0;)
alert udp any any -> any 53 (msg:"Suspicious DNS lookup for mine.sumo.fairpool.cloud"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth: 10; offset: 2; content:"|04|mine|04|sumo|08|fairpool|05|cloud"; nocase; distance:0; sid:9000177; rev:0;)
alert ip any any <> 88.80.187.187 any (msg:"Traffic to known Monero Miner IP (88.80.187.187)"; sid:9000178; rev:0;)
alert ip any any <> 149.210.234.234 any (msg:"Traffic to known Monero Miner IP (149.210.234.234)"; sid:9000179; rev:0;)