diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f2f6efe --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# .gitignore +.env +__pycache__/ +snort/logs/*.log +snort/logs/*.txt +!snort/logs/.gitkeep \ No newline at end of file diff --git a/README.md b/README.md index cec654c..917112a 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,80 @@ -# firewall-roulette +# Firewall Roulette -Because every time the LLM triggers, you might lose access to your own network! \ No newline at end of file +> An experimental AI-powered Intrusion Prevention System (IPS) that occasionally tries to ban your own router. + +**Firewall Roulette** is a Proof of Concept (PoC) research project that integrates **Snort 3**, a custom Python middleware, and a Large Language Model (**Claude 3.5 Haiku** via OpenRouter) to automatically generate and apply firewall block rules in real-time. + +Spoiler alert: Giving an LLM direct write access to your local firewall rules is a terrible, hilarious idea. This repository serves as empirical proof of why deterministic security tools are still the gold standard. + +--- + +## The "Why You Shouldn't Use This in Production" Findings + +During the development and testing of this automated SOC, the LLM repeatedly demonstrated why AI is currently unfit to handle raw network perimeter defense without massive amounts of hardcoded "babysitting": + +1. **Friendly Fire (Lack of Spatial Awareness):** Despite strict prompt constraints defining the local subnet (`192.168.1.0/24`), the LLM would frequently panic at standard internal background noise (like ICMP pings or mDNS broadcasts) and attempt to quarantine the local gateway or isolate the host machine. +2. **Fatal Syntactic Hallucinations:** The LLM would occasionally invent nonexistent network protocols (e.g., `drop eth 0 -> 0 0`). Because Snort strictly validates rules on reload, a single AI hallucination would crash the entire intrusion detection engine. +3. **Ghost Hunting (The Ephemeral Port Problem):** Rather than blocking an attacker's IP broadly or targeting the compromised service port, the LLM would often hardcode the attacker's randomized ephemeral source port. By the time the rule was deployed, the attacker was already using a different port, rendering the block useless. + +**Conclusion:** We had to write so much static Python logic to prevent the AI from destroying the network that the AI itself became redundant. Use [CrowdSec](https://www.crowdsec.net/) or [Suricata](https://suricata.io/) instead. + +--- + +## Architecture + +1. **Snort 3 Engine:** Listens to the network interface, detects anomalies via community rulesets, and outputs JSON alerts. +2. **Webhook Shipper (`main.py`):** A Python daemon that tails the Snort log, aggressively filters out local noise to save API tokens, alerts Discord, and passes external threat payloads to the LLM via tool-calling. +3. **The LLM (Claude 3.5 Haiku):** Analyzes the payload and triggers a Python tool to write a strictly formatted Snort `drop` rule. +4. **FastAPI Dashboard (`dashboard.py`):** A local web UI for simulating attacks, visualizing the active rule ledger, and reading the LLM's internal thought process in real-time. + +--- + +## Installation & Usage + +### 1. Requirements +* Docker & Docker Compose (or a manager like Portainer) +* An [OpenRouter API Key](https://openrouter.ai/) +* A Discord Webhook URL (optional, for alerts) + +### 2. Setup +Clone the repository and set up the required placeholder files: + +```bash +git clone [https://gitea.sekidesu.xyz/SekiDesu01/firewall-roulette.git](https://gitea.sekidesu.xyz/SekiDesu01/firewall-roulette.git) +cd firewall-roulette +mkdir snort-logs +touch local.rules +touch snort-logs/soc_actions.log +``` + +Create a `.env` file for your API keys: +```env +WEBHOOK_URL="[https://discord.com/api/webhooks/your-webhook](https://discord.com/api/webhooks/your-webhook)" +OPENROUTER_API_KEY="sk-or-v1-your-key-here" +``` + +### 3. Deploy +Start the stack using Docker Compose: +```bash +docker compose up -d +``` + +### 4. Access the Dashboard +Open your browser and navigate to: +```text +http://localhost:5050 +``` +From here, you can use **Chaos Mode** to inject random external attacks into the pipeline and watch the LLM try (and sometimes fail) to write valid blocking rules in real-time. + +--- + +## 🛠️ Tech Stack +* **Engine:** Snort 3 +* **Middleware/Dashboard:** Python 3.11, FastAPI, Uvicorn, Requests +* **Frontend:** HTML5, TailwindCSS (via CDN), Vanilla JS +* **AI:** Claude-3.5-Haiku via OpenRouter API + +--- + +## 📝 License +AGPL License. Do whatever you want with this, but please do not deploy it on a corporate network unless you want to get fired. \ No newline at end of file diff --git a/app/dashboard.py b/app/dashboard.py new file mode 100644 index 0000000..b4ae88f --- /dev/null +++ b/app/dashboard.py @@ -0,0 +1,218 @@ +import json +import os +import random +from fastapi import FastAPI, Form, HTTPException +from fastapi.responses import HTMLResponse, JSONResponse + +app = FastAPI(title="Duct-Tape SOC Dashboard") + +LOG_FILE = "/var/log/snort/alert_json.txt" +RULES_FILE = "/etc/snort/rules/local.rules" +ACTION_LOG = "/var/log/snort/soc_actions.log" + +HTML_TEMPLATE = """ + + + + + + Duct-Tape SOC Dashboard v3 + + + +
+
+
+

Duct-Tape SOC

+

Advanced Snort 3 & LLM Firewall Automation Simulator

+
+
+
+ Active Rules: 0
+ Alerts Logged: 0 +
+ +
+
+ +
+
+
+

Quick Scenarios

+ + +
+
+
+

Chaos Mode

+ +
+
+ +
+

Python & LLM Action Stream

+ 
Awaiting actions...
+
+ +
+

Active local.rules

+ 
Loading rules...
+
+
+ +
+

Live Snort JSON Tail

+
+

Streaming logs...

+
+
+
+ + + + +""" + +def write_alert(payload): + try: + with open(LOG_FILE, "a") as f: + f.write(json.dumps(payload) + "\n") + f.flush() + os.fsync(f.fileno()) + except Exception as e: + raise HTTPException(status_code=500, detail=f"Failed to write to log: {e}") + +@app.get("/", response_class=HTMLResponse) +def index(): + return HTML_TEMPLATE + +@app.get("/api/data") +def get_data(): + rules_content = "File empty or missing." + rule_count = 0 + if os.path.exists(RULES_FILE): + with open(RULES_FILE, "r") as f: + rules_content = f.read().strip() + rule_count = rules_content.count("drop ") + + actions_content = "" + if os.path.exists(ACTION_LOG): + with open(ACTION_LOG, "r") as f: + # Grab the last 25 lines of the action stream + actions_content = "".join(f.readlines()[-25:]) + + parsed_alerts = [] + total_alerts = 0 + if os.path.exists(LOG_FILE): + with open(LOG_FILE, "r") as f: + lines = f.readlines() + total_alerts = len(lines) + for line in reversed(lines[-10:]): + try: + parsed_alerts.append(json.loads(line)) + except: + continue + + return JSONResponse(content={ + "rules": rules_content, + "alerts": parsed_alerts, + "actions": actions_content.strip(), + "rule_count": rule_count, + "total_alerts": total_alerts + }) + +@app.post("/inject-standard") +def inject_standard(scenario: str = Form(...)): + scenarios = { + "ssh_attack": {"proto": "TCP", "src_ap": "185.220.101.5:43210", "dst_ap": "192.168.1.50:22", "rule": "1:2000123:1", "msg": "SSH Brute Force Attempt"}, + "nmap_scan": {"proto": "TCP", "src_ap": "45.33.32.156:59832", "dst_ap": "192.168.1.50:80", "rule": "1:2000456:1", "msg": "Nmap Port Scan"}, + "ssdp_noise": {"proto": "UDP", "src_ap": "192.168.1.121:1900", "dst_ap": "239.255.255.250:1900", "rule": "116:6:1", "msg": "SSDP Broadcast"}, + "mdns_noise": {"proto": "UDP", "src_ap": "192.168.1.83:5353", "dst_ap": "224.0.0.251:5353", "rule": "116:6:1", "msg": "mDNS Multicast"} + } + if scenario not in scenarios: + raise HTTPException(status_code=400, detail="Invalid scenario") + write_alert(scenarios[scenario]) + return {"status": "success"} + +@app.post("/inject-random") +def inject_random(): + src_ip = f"{random.randint(1, 223)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(1, 254)}" + src_port = random.randint(1024, 65535) + dst_ip = f"192.168.1.{random.randint(2, 254)}" + dst_port = random.choice([22, 80, 443, 3389, 8080]) + + payload = { + "proto": random.choice(["TCP", "UDP"]), + "src_ap": f"{src_ip}:{src_port}", + "dst_ap": f"{dst_ip}:{dst_port}", + "rule": f"1:{random.randint(10000, 99999)}:1", + "msg": "Simulated Random Attack" + } + write_alert(payload) + return {"status": "success"} + +@app.post("/clear-rules") +def clear_rules(): + try: + with open(RULES_FILE, "w") as f: + f.write("") + return {"status": "success"} + except Exception as e: + raise HTTPException(status_code=500, detail=f"Failed to clear rules: {e}") \ No newline at end of file diff --git a/app/main.py b/app/main.py new file mode 100644 index 0000000..eded3d3 --- /dev/null +++ b/app/main.py @@ -0,0 +1,233 @@ +import time +import os +import json +import requests +import re + +LOG_FILE = "/var/log/snort/alert_json.txt" +RULES_FILE = "/app/local.rules" +ACTION_LOG = "/var/log/snort/soc_actions.log" +WEBHOOK = os.environ.get("WEBHOOK_URL") +OPENROUTER_KEY = os.environ.get("OPENROUTER_API_KEY") + +LLM_MODEL = "anthropic/claude-3.5-haiku" +INTERNAL_PREFIXES = ("192.168.", "10.", "172.") + +def log_msg(msg): + """Writes to standard output and the shared action log for the dashboard.""" + print(msg) + try: + with open(ACTION_LOG, "a") as f: + f.write(msg + "\n") + f.flush() + os.fsync(f.fileno()) + except Exception: + pass + +def append_snort_rule(rule_string): + rule_string = rule_string.strip() + + valid_starts = ["drop tcp", "drop udp", "drop icmp", "drop ip"] + if not any(rule_string.startswith(prefix) for prefix in valid_starts): + log_msg(f"CRITICAL: Blocked invalid protocol syntax: {rule_string}") + return "Rejected: Rule must start with drop tcp, udp, icmp, or ip." + + if "any any -> any any" in rule_string: + log_msg("CRITICAL: Blocked LLM attempt to deploy a nuclear 'any any' drop rule.") + return "Rejected: Rule would cause total network blackout." + + dangerous_targets = ["255.255.255.255", "224.0.0", "239.255.255", "ff02::"] + if any(target in rule_string for target in dangerous_targets): + log_msg(f"CRITICAL: Blocked LLM attempt to block broadcast/multicast traffic.") + return "Rejected: Rule targets critical local infrastructure noise." + + if "->" not in rule_string or "sid:" not in rule_string: + log_msg("CRITICAL: Blocked malformed rule structural syntax.") + return "Rejected: Malformed Snort syntax." + + parts = rule_string.split() + if len(parts) > 2: + src_ip = parts[2] + + if src_ip.lower() == "any": + log_msg("CRITICAL: Blocked rule. LLM failed to identify a specific attacker IP.") + return "Rejected: Source IP cannot be 'any'." + + if src_ip.startswith(INTERNAL_PREFIXES): + log_msg(f"CRITICAL: Blocked LLM attempt to ban internal subnet IP: {src_ip}") + return "Rejected: Cannot block internal network IPs." + + if os.path.exists(RULES_FILE): + with open(RULES_FILE, "r") as f: + if src_ip in f.read(): + log_msg(f"Skipping: Attacker {src_ip} is already blocked in local.rules") + return "Rejected: IP already blocked." + + try: + with open(RULES_FILE, "a") as f: + f.write(f"\n# Auto-generated by LLM\n{rule_string}\n") + return "Rule successfully appended to local.rules." + except Exception as e: + return f"Failed to write rule: {e}" + +def get_next_sid(): + highest_sid = 1000000 + if os.path.exists(RULES_FILE): + with open(RULES_FILE, "r") as f: + sids = re.findall(r'sid:(\d+);', f.read()) + if sids: + highest_sid = max([int(s) for s in sids]) + return highest_sid + 1 + +def ask_llm_for_rule(alert_data): + if not OPENROUTER_KEY: + return + + next_sid = get_next_sid() + headers = { + "Authorization": f"Bearer {OPENROUTER_KEY}", + "Content-Type": "application/json" + } + + prompt = ( + "You are an automated SOC analyst generating Snort 3 block rules.\n" + f"Analyze this alert payload:\n{json.dumps(alert_data)}\n\n" + "CRITICAL REQUIREMENTS:\n" + f"1. Use EXACTLY this syntax: drop [proto] [src] any -> [dst] [dst_port] (msg:\"LLM Block\"; sid:{next_sid}; rev:1;)\n" + "2. The SOURCE port MUST ALWAYS be 'any'. Attackers use random ephemeral ports.\n" + "3. If the alert does not specify a clear, non-local external IP address as the attacker, you MUST NOT generate a rule.\n" + "4. NEVER target 255.255.255.255, multicast ranges, or loopback addresses.\n" + "5. CONTEXT: The protected internal network is 192.168.1.0/24. The attacker is ALWAYS external. NEVER use an IP starting with 192.168. as the source.\n" + "6. The source IP must be the specific external attacker. Never use 'any' for the source IP.\n" + "7. THOUGHT PROCESS: Briefly explain your reasoning in 1-2 sentences in the text response before deciding whether to call the tool or do nothing." + ) + + payload = { + "model": LLM_MODEL, + "messages": [{"role": "user", "content": prompt}], + "tools": [{ + "type": "function", + "function": { + "name": "append_snort_rule", + "description": "Appends a new Snort rule.", + "parameters": { + "type": "object", + "properties": { + "rule_string": { + "type": "string", + "description": "The exact valid Snort 3 rule string." + } + }, + "required": ["rule_string"] + } + } + }] + } + + log_msg("Asking LLM for a block rule...") + try: + response = requests.post("https://openrouter.ai/api/v1/chat/completions", headers=headers, json=payload) + response.raise_for_status() + response_data = response.json() + + message = response_data["choices"][0]["message"] + content = message.get("content", "") + + if content: + log_msg(f"LLM Reasoning: {content.strip()}") + + if "tool_calls" in message and message["tool_calls"]: + for tool_call in message["tool_calls"]: + if tool_call["function"]["name"] == "append_snort_rule": + args = json.loads(tool_call["function"]["arguments"]) + rule_string = args.get("rule_string") + log_msg(f"LLM generated rule: {rule_string}") + + result = append_snort_rule(rule_string) + log_msg(result) + else: + log_msg("LLM opted not to generate a rule.") + + except Exception as e: + log_msg(f"Failed to communicate with LLM or parse response: {e}") + +def send_discord_alert(data, raw_json_str, proto, src, dst, rule_id): + embed = { + "title": f"[SNORT] {proto} Traffic Detected", + "description": f"**Raw Payload:**\n```json\n{raw_json_str}\n```", + "color": 16711680, + "fields": [ + {"name": "Source", "value": f"`{src}`", "inline": True}, + {"name": "Destination", "value": f"`{dst}`", "inline": True}, + {"name": "Rule ID", "value": f"`{rule_id}`", "inline": True} + ], + "footer": {"text": "Duct-Tape SOC"} + } + + while True: + try: + response = requests.post(WEBHOOK, json={"embeds": [embed]}) + + if response.status_code == 429: + wait_time = response.json().get("retry_after", 1) + log_msg(f"Rate limited by Discord. Sleeping for {wait_time}s...") + time.sleep(wait_time) + continue + elif response.status_code in [200, 204]: + log_msg("Sent alert to Discord successfully.") + break + else: + log_msg(f"Discord responded: {response.status_code} - {response.text}") + break + except Exception as e: + log_msg(f"Failed to send to Discord: {e}") + break + +def tail_and_ship(): + log_msg(f"Waiting for Snort to create {LOG_FILE}...") + while not os.path.exists(LOG_FILE): + time.sleep(1) + + log_msg("Log found. Tailing for alerts...") + with open(LOG_FILE, "r") as f: + f.seek(0, 2) + while True: + line = f.readline() + if not line: + time.sleep(0.5) + continue + + try: + data = json.loads(line) + proto = data.get("proto", "UNKNOWN") + src = data.get("src_ap", "Unknown") + dst = data.get("dst_ap", "Unknown") + + src_ip = src.split(':')[0] if ':' in src else src + dst_ip = dst.split(':')[0] if ':' in dst else dst + + if dst_ip == "255.255.255.255" or dst_ip.startswith("224.") or dst_ip.startswith("239.") or dst_ip.startswith("ff02:"): + continue + + if src_ip.startswith(INTERNAL_PREFIXES) and dst_ip.startswith(INTERNAL_PREFIXES): + continue + + rule_id = data.get("rule", "Unknown") + raw_json_str = json.dumps(data, indent=2) + + send_discord_alert(data, raw_json_str, proto, src, dst, rule_id) + ask_llm_for_rule(data) + + except Exception as e: + log_msg(f"Failed to process alert: {e}") + +if __name__ == "__main__": + if not WEBHOOK: + log_msg("Error: WEBHOOK_URL environment variable is missing.") + exit(1) + + # Initialize the log file + with open(ACTION_LOG, "w") as f: + f.write("SOC Action Log Initialized.\n") + + tail_and_ship() \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..1da85d8 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,52 @@ +version: '3.8' + +services: + snort: + image: ciscotalos/snort3:latest + user: "root" + network_mode: host + privileged: true + volumes: + # Pushed all Snort-related mounts into the ./snort directory + - ./snort/snort-logs:/var/log/snort + - ./snort/local.rules:/etc/snort/rules/local.rules + - ./snort/snort3-community.rules:/etc/snort/rules/snort3-community.rules:ro + - ./snort/snort.lua:/home/snorty/snort3/etc/snort/snort.lua:ro + entrypoint: ["/home/snorty/snort3/bin/snort"] + command: [ + "-c", "/home/snorty/snort3/etc/snort/snort.lua", + "-R", "/etc/snort/rules/local.rules", + # NOTE: Users cloning this must change the interface to match their machine + "-i", "enp1s0f0", + "-l", "/var/log/snort", + "--lua", "alert_json = { file = true }", + "--bpf", "not broadcast and not multicast" + ] + + webhook-shipper: + image: python:3.11-slim + restart: unless-stopped + volumes: + # Updated paths for logs, rules, and the python script + - ./snort/snort-logs:/var/log/snort + - ./app/main.py:/app/main.py:ro + - ./snort/local.rules:/app/local.rules + environment: + - WEBHOOK_URL=${WEBHOOK_URL} + - OPENROUTER_API_KEY=${OPENROUTER_API_KEY} + working_dir: /app + command: sh -c "pip install --no-cache-dir requests && python -u main.py" + + soc-dashboard: + image: python:3.11-slim + restart: unless-stopped + ports: + - "5050:5050" + volumes: + # Updated paths for logs, rules, and the dashboard script + - ./snort/snort-logs:/var/log/snort + - ./snort/local.rules:/etc/snort/rules/local.rules + - ./app/dashboard.py:/app/dashboard.py:ro + working_dir: /app + command: > + sh -c "pip install fastapi uvicorn python-multipart && uvicorn dashboard:app --host 0.0.0.0 --port 5050" \ No newline at end of file diff --git a/snort/local.rules b/snort/local.rules new file mode 100644 index 0000000..813ed59 --- /dev/null +++ b/snort/local.rules @@ -0,0 +1,9 @@ + +# Auto-generated by LLM +drop tcp 77.247.97.72 any -> 192.168.1.225 8080 (msg:"LLM Block"; sid:1000001; rev:1;) + +# Auto-generated by LLM +drop tcp 45.33.32.156 any -> 192.168.1.50 80 (msg:"LLM Block"; sid:1000002; rev:1;) + +# Auto-generated by LLM +drop udp 21.154.103.61 any -> 192.168.1.53 80 (msg:"LLM Block"; sid:1000003; rev:1;) diff --git a/snort/snort-logs/soc_actions.log b/snort/snort-logs/soc_actions.log new file mode 100644 index 0000000..ec0d56b --- /dev/null +++ b/snort/snort-logs/soc_actions.log @@ -0,0 +1,30 @@ +SOC Action Log Initialized. +Waiting for Snort to create /var/log/snort/alert_json.txt... +Log found. Tailing for alerts... +Sent alert to Discord successfully. +Asking LLM for a block rule... +LLM Reasoning: Analysis: +The alert shows an external IP (77.247.97.72) attacking an internal IP (192.168.1.225) on port 8080 via TCP. The source IP is a valid external address, and the destination is within the protected 192.168.1.0/24 network. All conditions are met to generate a block rule. + +I'll create a Snort 3 drop rule that precisely matches the specified syntax: +LLM generated rule: drop tcp 77.247.97.72 any -> 192.168.1.225 8080 (msg:"LLM Block"; sid:1000001; rev:1;) +Rule successfully appended to local.rules. +Sent alert to Discord successfully. +Asking LLM for a block rule... +LLM Reasoning: Analysis of the alert payload: + +The alert shows an external IP (45.33.32.156) scanning an internal host (192.168.1.50) on port 80 using TCP. The source IP is a clear, non-local external IP address, and it's targeting a specific internal network host. This meets all the criteria for generating a blocking Snort rule. I will create a rule to drop TCP traffic from this specific external attacker IP to the internal destination. +LLM generated rule: drop tcp 45.33.32.156 any -> 192.168.1.50 80 (msg:"LLM Block"; sid:1000002; rev:1;) +Rule successfully appended to local.rules. +Sent alert to Discord successfully. +Asking LLM for a block rule... +LLM Reasoning: Analysis of the alert payload: +- The source IP (21.154.103.61) is a valid external IP address +- The destination is within the protected 192.168.1.0/24 network +- The protocol is UDP +- Destination port is 80 +- This meets all the criteria for generating a block rule + +I will generate a Snort 3 drop rule to block UDP traffic from this specific external attacker to the internal network: +LLM generated rule: drop udp 21.154.103.61 any -> 192.168.1.53 80 (msg:"LLM Block"; sid:1000003; rev:1;) +Rule successfully appended to local.rules. diff --git a/snort/snort.lua b/snort/snort.lua new file mode 100644 index 0000000..e284881 --- /dev/null +++ b/snort/snort.lua @@ -0,0 +1,279 @@ +--------------------------------------------------------------------------- +-- Snort++ configuration +--------------------------------------------------------------------------- + +-- there are over 200 modules available to tune your policy. +-- many can be used with defaults w/o any explicit configuration. +-- use this conf as a template for your specific configuration. + +-- 1. configure defaults +-- 2. configure inspection +-- 3. configure bindings +-- 4. configure performance +-- 5. configure detection +-- 6. configure filters +-- 7. configure outputs +-- 8. configure tweaks + +--------------------------------------------------------------------------- +-- 1. configure defaults +--------------------------------------------------------------------------- + +-- HOME_NET and EXTERNAL_NET must be set now +-- setup the network addresses you are protecting +HOME_NET = '192.168.1.0/24' + +-- set up the external network addresses. +-- (leave as "any" in most situations) +EXTERNAL_NET = 'any' + +include 'snort_defaults.lua' + +--------------------------------------------------------------------------- +-- 2. configure inspection +--------------------------------------------------------------------------- + +-- mod = { } uses internal defaults +-- you can see them with snort --help-module mod + +-- mod = default_mod uses external defaults +-- you can see them in snort_defaults.lua + +-- the following are quite capable with defaults: + +stream = { } +stream_ip = { } +stream_icmp = { } +stream_tcp = { } +stream_udp = { } +stream_user = { } +stream_file = { } + +arp_spoof = { } +back_orifice = { } +dns = { } +imap = { } +netflow = {} +normalizer = { } +pop = { } +rpc_decode = { } +sip = { } +ssh = { } +ssl = { } +telnet = { } + +cip = { } +dnp3 = { } +iec104 = { } +mms = { } +modbus = { } +opcua = { } +s7commplus = { } + +dce_smb = { } +dce_tcp = { } +dce_udp = { } +dce_http_proxy = { } +dce_http_server = { } + +-- see snort_defaults.lua for default_* +gtp_inspect = default_gtp +port_scan = default_med_port_scan +smtp = default_smtp + +ftp_server = default_ftp_server +ftp_client = { } +ftp_data = { } + +http_inspect = { } +http2_inspect = { } + +-- see file_magic.rules for file id rules +file_id = { rules_file = 'file_magic.rules' } +file_policy = { } + +js_norm = default_js_norm + +-- the following require additional configuration to be fully effective: + +appid = +{ + -- appid requires this to use appids in rules + --app_detector_dir = 'directory to load appid detectors from' +} + +--[[ +reputation = +{ + -- configure one or both of these, then uncomment reputation + -- (see also related path vars at the top of snort_defaults.lua) + + --blacklist = 'blacklist file name with ip lists' + --whitelist = 'whitelist file name with ip lists' +} +--]] + +--------------------------------------------------------------------------- +-- 3. configure bindings +--------------------------------------------------------------------------- + +wizard = default_wizard + +binder = +{ + -- port bindings required for protocols without wizard support + { when = { proto = 'udp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '53', role='server' }, use = { type = 'dns' } }, + { when = { proto = 'tcp', ports = '111', role='server' }, use = { type = 'rpc_decode' } }, + { when = { proto = 'tcp', ports = '502', role='server' }, use = { type = 'modbus' } }, + { when = { proto = 'tcp', ports = '2123 2152 3386', role='server' }, use = { type = 'gtp_inspect' } }, + { when = { proto = 'tcp', ports = '2404', role='server' }, use = { type = 'iec104' } }, + { when = { proto = 'udp', ports = '2222', role = 'server' }, use = { type = 'cip' } }, + { when = { proto = 'tcp', ports = '44818', role = 'server' }, use = { type = 'cip' } }, + + { when = { proto = 'tcp', service = 'dcerpc' }, use = { type = 'dce_tcp' } }, + { when = { proto = 'udp', service = 'dcerpc' }, use = { type = 'dce_udp' } }, + { when = { proto = 'udp', service = 'netflow' }, use = { type = 'netflow' } }, + + { when = { service = 'netbios-ssn' }, use = { type = 'dce_smb' } }, + { when = { service = 'dce_http_server' }, use = { type = 'dce_http_server' } }, + { when = { service = 'dce_http_proxy' }, use = { type = 'dce_http_proxy' } }, + + { when = { service = 'cip' }, use = { type = 'cip' } }, + { when = { service = 'dnp3' }, use = { type = 'dnp3' } }, + { when = { service = 'dns' }, use = { type = 'dns' } }, + { when = { service = 'ftp' }, use = { type = 'ftp_server' } }, + { when = { service = 'ftp-data' }, use = { type = 'ftp_data' } }, + { when = { service = 'gtp' }, use = { type = 'gtp_inspect' } }, + { when = { service = 'imap' }, use = { type = 'imap' } }, + { when = { service = 'http' }, use = { type = 'http_inspect' } }, + { when = { service = 'http2' }, use = { type = 'http2_inspect' } }, + { when = { service = 'iec104' }, use = { type = 'iec104' } }, + { when = { service = 'mms' }, use = { type = 'mms' } }, + { when = { service = 'modbus' }, use = { type = 'modbus' } }, + { when = { service = 'opcua' }, use = { type = 'opcua' } }, + { when = { service = 'pop3' }, use = { type = 'pop' } }, + { when = { service = 'ssh' }, use = { type = 'ssh' } }, + { when = { service = 'sip' }, use = { type = 'sip' } }, + { when = { service = 'smtp' }, use = { type = 'smtp' } }, + { when = { service = 'ssl' }, use = { type = 'ssl' } }, + { when = { service = 'sunrpc' }, use = { type = 'rpc_decode' } }, + { when = { service = 's7commplus' }, use = { type = 's7commplus' } }, + { when = { service = 'telnet' }, use = { type = 'telnet' } }, + + { use = { type = 'wizard' } } +} + +--------------------------------------------------------------------------- +-- 4. configure performance +--------------------------------------------------------------------------- + +-- use latency to monitor / enforce packet and rule thresholds +--latency = { } + +-- use these to capture perf data for analysis and tuning +--profiler = { } +--perf_monitor = { } + +--------------------------------------------------------------------------- +-- 5. configure detection +--------------------------------------------------------------------------- + +references = default_references +classifications = default_classifications + +ips = +{ + -- use this to enable decoder and inspector alerts + enable_builtin_rules = false, + include = "/etc/snort/rules/snort3-community.rules", + + -- use include for rules files; be sure to set your path + -- note that rules files can include other rules files + -- (see also related path vars at the top of snort_defaults.lua) + + variables = default_variables +} + +-- use these to configure additional rule actions +-- react = { } +-- reject = { } + +-- use this to enable payload injection utility +-- payload_injector = { } + +--------------------------------------------------------------------------- +-- 6. configure filters +--------------------------------------------------------------------------- + +-- below are examples of filters +-- each table is a list of records + +--[[ +suppress = +{ + -- don't want to any of see these + { gid = 1, sid = 1 }, + + -- don't want to see anything for a given host + { track = 'by_dst', ip = '1.2.3.4' } + + -- don't want to see these for a given host + { gid = 1, sid = 2, track = 'by_dst', ip = '1.2.3.4' }, +} +--]] + +--[[ +event_filter = +{ + -- reduce the number of events logged for some rules + { gid = 1, sid = 1, type = 'limit', track = 'by_src', count = 2, seconds = 10 }, + { gid = 1, sid = 2, type = 'both', track = 'by_dst', count = 5, seconds = 60 }, +} +--]] + +--[[ +rate_filter = +{ + -- alert on connection attempts from clients in SOME_NET + { gid = 135, sid = 1, track = 'by_src', count = 5, seconds = 1, + new_action = 'alert', timeout = 4, apply_to = '[$SOME_NET]' }, + + -- alert on connections to servers over threshold + { gid = 135, sid = 2, track = 'by_dst', count = 29, seconds = 3, + new_action = 'alert', timeout = 1 }, +} +--]] + +--------------------------------------------------------------------------- +-- 7. configure outputs +--------------------------------------------------------------------------- + +-- event logging +-- you can enable with defaults from the command line with -A +-- uncomment below to set non-default configs +--alert_csv = { } +--alert_fast = { } +--alert_full = { } +--alert_sfsocket = { } +--alert_syslog = { } +--unified2 = { } + +-- packet logging +-- you can enable with defaults from the command line with -L +--log_codecs = { } +--log_hext = { } +--log_pcap = { } + +-- additional logs +--packet_capture = { } +--file_log = { } + +--------------------------------------------------------------------------- +-- 8. configure tweaks +--------------------------------------------------------------------------- + +if ( tweaks ~= nil ) then + include(tweaks .. '.lua') +end + diff --git a/snort/snort3-community.rules b/snort/snort3-community.rules new file mode 100644 index 0000000..e881c8b --- /dev/null +++ b/snort/snort3-community.rules @@ -0,0 +1,4017 @@ +alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 ( msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; classtype:misc-activity; sid:108; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 ( msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10; ) +alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|",depth 6; content:"|05 00|",depth 2,offset 8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Infector.1.x"; flow:to_client,established; content:"WHATISIT",depth 9; metadata:impact_flag red,ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17; ) +alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| ",depth 11,nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands",distance 0,nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12; ) +alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:to_client,established; content:"Wtzup Use",depth 32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11; ) +alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 ( msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14; ) +alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:to_client,established; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER",nocase; content:"w0rm",distance 1,nocase; pcre:"/^USER\s+w0rm/ims"; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:144; rev:16; ) +alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetSphere access"; flow:to_client,established; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13; ) +alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR GateCrasher"; flow:to_client,established; content:"GateCrasher",depth 11,nocase; content:"Server",distance 0,nocase; content:"On-Line...",distance 0,nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:12; ) +alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:to_client,established; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 666 ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9; ) +alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10; ) +alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10; ) +alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10; ) +alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:AS,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca",depth 15,nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10; ) +alert udp $HOME_NET 2140 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:15; ) +alert tcp $HOME_NET 555 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:to_client,established; content:"phAse zero server",depth 17,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:13; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor",nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh[",nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10; ) +alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] ( msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13; ) +alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12; ) +alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:to_server,established; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:to_server,established; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:to_server,established; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 27444 ( msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 18753 ( msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 20433 ( msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 6838 ( msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 ( msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8; ) +alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8; ) +alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11; ) +alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; classtype:bad-unknown; sid:253; rev:15; ) +alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|",depth 4,offset 2,fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|",within 4,distance 4; content:"|C0 0C 00 01 00 01|",distance 0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community; service:dns; classtype:bad-unknown; gid:1; sid:254; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|",depth 8,offset 6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|",fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:24; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:262; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:264; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:265; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:266; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:267; rev:13; ) +alert udp any 19 <> any 7 ( msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:12; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:11; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 9 ( msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME",depth 50,offset 25; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:13; ) +alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:287; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:288; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 ( msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 ( msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//",nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 ( msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1",nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 ( msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12; ) +alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community; service:ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; isdataat:512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 518 ( msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:10; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:23; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:11; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:11; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f",nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| ",depth 10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:334; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:335; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD",nocase; content:"~root",distance 1,nocase; pcre:"/^CWD\s+~root/ims"; metadata:ruleset community; service:ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL",nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:353; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:354; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:355; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR",nocase; content:"passwd"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:356; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:358; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:359; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20.",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE",nocase; content:"EXEC",distance 0,nocase; pcre:"/^SITE\s+EXEC/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program ",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del",depth 32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So",depth 32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop",depth 32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================",depth 32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad",depth 32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04| ",depth 32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop",depth 16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9; ) +alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?",depth 100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim",depth 32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw",depth 32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10; ) +alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc.",depth 32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s*\n/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:unknown; sid:489; rev:19; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community; service:smtp; classtype:policy-violation; sid:490; rev:12; ) +alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 ",fast_pattern,nocase; pcre:"/^530\s+(Login|User)/ims"; metadata:ruleset community; service:ftp; classtype:bad-unknown; sid:491; rev:15; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed",nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:492; rev:15; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed",fast_pattern,nocase; pcre:"/^Command\s+?completed\b/ms"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:21; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename",nocase; metadata:ruleset community; service:http; classtype:bad-unknown; sid:495; rev:14; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; ) +alert ip any any -> any any ( msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 ( msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>",depth 16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 ( msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 70 ( msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|",fast_pattern,nocase; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc",depth 36,nocase; metadata:ruleset community; service:http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12; ) +alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any ( msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login",depth 16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 ( msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET ",depth 8,nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 177 ( msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|",depth 2; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:16; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:"..",offset 2; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2007-0888; reference:cve,2011-4722; classtype:bad-unknown; gid:1; sid:519; rev:16; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/",depth 3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:to_server,established; dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:"15"; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,dce,align; content:"|00 00 00 00|",within 4,distance 8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9; ) +alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A|",nocase; content:"text/plain",distance 1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; isdataat:!139; content:"NICK ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:542; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:543; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:544; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:545; rev:9; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:546; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD ' possible warez site"; flow:to_server,established; content:"MKD ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:547; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD .",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:548; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/ims"; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:553; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:554; rev:10; ) +alert tcp $HOME_NET 23 -> $EXTERNAL_NET any ( msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT",depth 40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK",depth 40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0",depth 5; content:".0",depth 2,offset 7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 5632 ( msg:"APP-DETECT PCAnywhere server response"; content:"ST",depth 2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10; ) +alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL SMTP relaying denied"; flow:to_client,established; content:"550 5.7.1",depth 70; metadata:ruleset community; service:smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|",depth 32,offset 16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:575; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:577; rev:23; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:578; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:579; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:21; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:582; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:583; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:20; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:585; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:587; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:27; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:589; rev:16; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 ( msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:601; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-user; sid:602; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:603; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:15; ) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:unsuccessful-user; sid:605; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|",depth 11; stream_size:1,to_client; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; classtype:attempted-admin; gid:1; sid:606; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|",fast_pattern,nocase; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:610; rev:17; ) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied.",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:unsuccessful-user; sid:611; rev:14; ) +alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:12; ) +alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any ( msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11; ) +alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 ( msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A",depth 1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 113 ( msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; isdataat:!0; flags:12FS; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:12AP; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:12FSU; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:FS; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:631; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:632; rev:15; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 ( msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:10; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 49 ( msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:11; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 7 ( msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:9; ) +alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:13; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:647; rev:15; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:shellcode-detect; sid:648; rev:18; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:649; rev:15; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:650; rev:15; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|",nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:29; ) +alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP",nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn",nocase; content:"decode",fast_pattern,nocase; pcre:"/^expn\s+decode/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn",nocase; content:"root",fast_pattern,nocase; pcre:"/^expn\s+root/ims"; metadata:ruleset community; service:smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|",fast_pattern,nocase; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|",nocase; content:"decode",distance 0,nocase; pcre:"/^rcpt to\:\s*decode/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy",nocase; content:"decode",distance 1,nocase; pcre:"/^vrfy\s+decode/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10; ) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:18; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",depth 32,offset 32,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD",fast_pattern,nocase; content:"bin/sh"; metadata:ruleset community; service:telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; raw_data; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:attempted-admin; sid:715; rev:14; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:717; rev:15; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:718; rev:16; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:suspicious-login; sid:719; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/hsx.cgi"; http_raw_uri; content:"../../"; content:"%00",distance 1; metadata:ruleset community; service:http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; http_uri; content:"/s.cgi",fast_pattern,nocase; content:"tmpl="; metadata:ruleset community; service:http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; http_uri; content:"/wsisa.dll/WService=",fast_pattern,nocase; content:"WSMadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; http_uri; content:"/YaBB",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; http_uri; content:"/wwwboard/passwd.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; http_uri; content:"/webdriver",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/whois_raw.cgi?"; pkt_data; content:"|0A|"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; reference:url,attack.mitre.org/techniques/T1065; classtype:web-application-attack; sid:809; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; http_uri; content:"/whois_raw.cgi"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1.",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; http_uri; content:"/webplus?about",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; http_uri; content:"/websendmail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; http_uri; content:"/dcboard.cgi"; pkt_data; content:"command=register"; content:"%7cadmin"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; http_uri; content:"/dcforum.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; http_uri; content:"/mmstdod.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; http_uri; content:"/apexec.pl"; pkt_data; content:"template=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; http_uri; content:"/imagemap.exe?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; http_uri; content:"/cvsweb.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; http_uri; content:"/php.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; http_uri; content:"/glimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; http_uri; content:"/htmlscript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; http_uri; content:"/info2www",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; http_uri; content:"/maillist.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:828; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; http_uri; content:"/nph-test-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; http_uri; content:"/perl.exe",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; http_uri; content:"/rguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; http_uri; content:"/rwwwshell.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; http_uri; content:"/test-cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; http_uri; content:"/textcounter.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; http_uri; content:"/uploader.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; http_uri; content:"/webgais",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP finger access"; flow:to_server,established; http_uri; content:"/finger",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; http_uri; content:"/perlshop.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; http_uri; content:"/aglimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; http_uri; content:"/AnForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; http_uri; content:"/args.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; http_uri; content:"/AT-admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; http_uri; content:"/bnbform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP campas access"; flow:to_server,established; http_uri; content:"/campas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; http_uri; content:"/wais.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:850; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; http_uri; content:"/files.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; http_uri; content:"/wguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; http_uri; content:"/wrap"; metadata:ruleset community; service:http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; http_uri; content:"/classifieds.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; http_uri; content:"/environ.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:856; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; http_uri; content:"/faxsurvey",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; http_uri; content:"/filemail.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; http_uri; content:"/man.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; http_uri; content:"/snork.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; http_uri; content:"/w3-msql/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csh access"; flow:to_server,established; http_uri; content:"/csh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; http_uri; content:"/day5datacopier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; http_uri; content:"/day5datanotifier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; http_uri; content:"/ksh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; http_uri; content:"/post-query",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; http_uri; content:"/visadmin.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; http_uri; content:"/rsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; http_uri; content:"/dumpenv.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; http_uri; content:"/snorkerz.cmd",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:870; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; http_uri; content:"/survey.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; http_uri; content:"/tcsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; http_uri; content:"/win-c-sample.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; http_uri; content:"/rksh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; http_uri; content:"/w3tvars.pm",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:878; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; http_uri; content:"/admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; http_uri; content:"/LWGate",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP archie access"; flow:to_server,established; http_uri; content:"/archie",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:881; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; http_uri; content:"/calendar",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:882; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; http_uri; content:"/flexform",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bash access"; flow:to_server,established; http_uri; content:"/bash",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phf access"; flow:to_server,established; http_uri; content:"/phf",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; http_uri; content:"/www-sql",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; http_uri; content:"/wwwadmin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:888; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; http_uri; content:"/ppdscgi.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; http_uri; content:"/sendform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; http_uri; content:"/upload.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:891; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; http_uri; content:"/AnyForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; http_uri; content:"/bb-hist.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; http_uri; content:"/redirect",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; http_uri; content:"/way-board",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; http_uri; content:"/pals-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; http_uri; content:"/commerce.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; http_uri; content:"/sendtemp.pl",fast_pattern,nocase; content:"templ=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; http_uri; content:"tstisapi.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; http_uri; content:"/cfcache.map",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/getfile.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; http_uri; content:"/cfide/administrator/index.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/fileexists.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/exprcalc.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/parks/detail.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; http_uri; content:"/cfappman/index.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/cvbeans/beaninfo.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/evaluate.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/displayopenedfile.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/mainframeset.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/cfmlsyntaxcheck.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; http_uri; content:"/onrequestend.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; http_uri; content:"/cfide/administrator/startstop.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; http_uri; content:"/cfdocs/snippets/gettempdirectory.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; http_uri; content:"/_vti_rpc",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; http_uri; content:"/author.dll",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:29; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; http_uri; content:"/admcgi/contents.htm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:941; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; http_uri; content:"/_private/orders.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:942; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; http_uri; content:"/fpsrvadm.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:943; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; http_uri; content:"/fpremadm.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:944; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; http_uri; content:"/admisapi/fpadmin.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:945; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; http_uri; content:"/scripts/Fpadmcgi.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:946; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; http_uri; content:"/_private/orders.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:947; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; http_uri; content:"/_private/form_results.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; http_uri; content:"/_private/registrations.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:949; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; http_uri; content:"/cfgwiz.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:950; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; http_uri; content:"/authors.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/_vti_aut/author.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:952; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; http_uri; content:"/administrators.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1205; reference:cve,2002-1717; classtype:web-application-activity; sid:953; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; http_uri; content:"/_private/form_results.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/access.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; http_uri; content:"/_private/register.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:956; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; http_uri; content:"/_private/registrations.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:957; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; http_uri; content:"/service.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.stp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:960; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/services.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/svcacl.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; http_uri; content:"/users.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:964; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/writeto.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; http_uri; content:"..../"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; http_uri; content:"/dvwssr.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; http_uri; content:"/_private/register.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:968; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK ",depth 5; metadata:ruleset community; service:http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; http_uri; content:".printer",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; http_uri; content:"/*.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|..",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; http_uri; content:".asp|3A 3A 24|DATA",nocase; metadata:ruleset community; service:http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003; classtype:web-application-attack; sid:975; rev:27; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; http_uri; content:".bat?",fast_pattern,nocase; content:"/cgi-bin/",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:cve,2019-0232; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cnf access"; flow:to_server,established; http_uri; content:".cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none",nocase; content:"&CiHiliteType=Full",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; http_uri; content:".htw?CiWebHitsFile",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; http_uri; content:"/scripts/CGImail.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/ctguestb.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/details.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MSProxy access"; flow:to_server,established; http_uri; content:"/scripts/proxy/w3proxy.dll",nocase; metadata:ruleset community; service:http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; http_uri; content:".htr",fast_pattern,nocase; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/ims"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:32; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; http_uri; content:"/sensepost.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; http_uri; content:"/_vti_inf.html",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS achg.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/achg.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; http_uri; content:"/msadc/samples/adctest.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:992; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmin access"; flow:to_server,established; http_uri; content:"/iisadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/default.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:994; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/ism.dll?http/dir",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS anot.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/anot",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; http_uri; content:".asp.",nocase; metadata:ruleset community; service:http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; http_uri; content:"|23|filename=*.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:998; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; http_uri; content:"/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; http_uri; content:"/carbo.dll"; pkt_data; content:"icatcommand=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1002; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1003; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; http_uri; content:"/iissamples/exair/howitworks/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; http_uri; content:"/iissamples/sdk/asp/docs/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; http_uri; content:"/Form_JScript.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1008; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS directory listing"; flow:to_server,established; http_uri; content:"/ServerVariables_Jscript.asp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1011; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; http_uri; content:"/fpcount.exe",fast_pattern,nocase; pkt_data; content:"Digits=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount access"; flow:to_server,established; http_uri; content:"/fpcount.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/getdrvs.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1015; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS global.asa access"; flow:to_server,established; http_uri; content:"/global.asa",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; http_uri; content:"/iisadmpwd/aexp",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; http_uri; content:"CiWebHitsFile=",nocase; pkt_data; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; http_uri; content:"CiRestriction=none",fast_pattern,nocase; content:"ciHiliteType=Full",nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; http_uri; content:".idc|3A 3A 24|data",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; http_uri; content:" .htr",nocase; pcre:"/\s{230,}\.htr/"; metadata:ruleset community; service:http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS jet vba access"; flow:to_server,established; http_uri; content:"/advworks/equipment/catalog_type.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; http_uri; content:"/msadcs.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/newdsn.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl access"; flow:to_server,established; http_uri; content:"/scripts/perl",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1025; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; http_uri; content:"|0A|.pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; http_uri; content:" .pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS query.asp access"; flow:to_server,established; http_uri; content:"/issamples/query.asp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ ",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS search97.vts access"; flow:to_server,established; http_uri; content:"/search97.vts"; metadata:ruleset community; service:http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; http_uri; content:"/SiteServer/Publishing/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; http_uri; content:"/showcode.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site server config access"; flow:to_server,established; http_uri; content:"/adsamples/config/site.csc",nocase; metadata:ruleset community; service:http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srch.htm access"; flow:to_server,established; http_uri; content:"/samples/isapi/srch.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1039; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srchadm access"; flow:to_server,established; http_uri; content:"/srchadm",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; http_uri; content:"/scripts/uploadn.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS view source via translate header"; flow:to_server,established; http_header; content:"Translate|3A| F",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; http_uri; content:"/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS webhits access"; flow:to_server,established; http_uri; content:".htw"; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1045; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; http_uri; content:"/site/iisamples",nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / ",depth 9; metadata:ruleset community; service:http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX ",depth 6; metadata:ruleset community; service:http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES",depth 13; metadata:ruleset community; service:http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/main.cgi",fast_pattern,nocase; pkt_data; content:"filename=",nocase; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/print.cgi",fast_pattern,nocase; pkt_data; content:"board=",nocase; http_raw_uri; content:"../../"; content:"%00"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; http_uri; content:"/ads.cgi",fast_pattern,nocase; pkt_data; content:"file=",nocase; http_raw_uri; content:"../../"; http_uri; content:"|7C|"; metadata:ruleset community; service:http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; http_uri; content:".jsp",nocase; pkt_data; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/ims"; metadata:ruleset community; service:http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; http_uri; content:"%252ejsp"; metadata:ruleset community; service:http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1057; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1058; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1059; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1060; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1062; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1064; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; http_uri; content:"rcmd.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1065; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1066; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1067; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1068; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1069; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH ",depth 8,nocase; metadata:ruleset community; service:http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htpasswd access attempt"; flow:to_server,established; http_uri; content:".htpasswd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1071; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; http_uri; content:".nsf/"; content:"../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; http_uri; content:"/scripts/samples/search/webhits.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; http_uri; content:"/scripts/postinfo.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS repost.asp access"; flow:to_server,established; http_uri; content:"/scripts/repost.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL queryhit.htm access"; flow:to_server,established; http_uri; content:"/samples/search/queryhit.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL counter.exe access"; flow:to_server,established; http_uri; content:"/counter.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind",nocase; pcre:"/ $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; http_uri; content:"/servlet/com.unify.servletexec.UploadServlet",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; http_uri; content:"/dsgw/bin/search?context=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; http_uri; content:"/servlet/ServletExec",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; http_uri; content:"servlet/.......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community; service:http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; http_uri; content:"?STRENGUR",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; http_uri; content:"/web_store.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/shop.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; http_uri; content:"/authenticate.cgi?PASSWORD",fast_pattern,nocase; pkt_data; content:"config.ini"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; classtype:web-application-attack; sid:1090; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; http_uri; content:"??????????",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"keys",distance 0,nocase; pkt_data; content:"catigory=../",nocase; metadata:ruleset community; service:http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/cached_feed.cgi"; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"script=test.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"about",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; http_uri; content:"/webplus.cgi?",nocase; content:"Script=/webplus/webping/webping.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; http_uri; content:"_private/shopping_cart.mdb",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; http_uri; content:"/cybercop",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1099; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Java1.2.1|0D 0A|"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; http_uri; content:"/nessus_is_probing_you_",depth 32; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1102; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; http_uri; content:"/admin-serv/config/admpw",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh?",nocase; content:"HOSTSVC",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; http_uri; content:"/pollit/Poll_It_SSI_v2.0.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; http_uri; content:"/ftp.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; http_uri; content:"/jsp/snp/"; content:".snp"; metadata:ruleset community; service:http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; http_uri; content:"/%00"; metadata:ruleset community; service:http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; http_uri; content:"/site/eg/source.asp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; http_uri; content:"/contextAdmin/contextAdmin.html",nocase; metadata:ruleset community; service:http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; http_uri; content:".html/......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; http_uri; content:"?DeleteDocument",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1116; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; http_uri; content:"?EditDocument",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1118; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; http_uri; content:"/mlog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; http_uri; content:"/mylog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; http_uri; content:"/etc/passwd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:1122; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; http_uri; content:"?PageServices",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; http_uri; content:"/config/check.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1124; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; http_uri; content:"/webcart/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; http_uri; content:"_AuthChangeUrl?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; http_uri; content:"/scripts/convert.bas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; http_uri; content:"/scripts/cpshost.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; http_uri; content:".htaccess",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-recon; sid:1129; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".wwwacl",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1130; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".www_acl",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1131; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 457 ( msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:FPS; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; http_uri; content:"/admin.php3",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd..",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1136; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; http_uri; content:"/guestbook.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP handler access"; flow:to_server,established; http_uri; content:"/handler",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1142; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP root access"; flow:to_server,established; http_uri; content:"/~root",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1145; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/config/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1146; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; http_uri; content:"cat ",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/orders/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1148; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; http_uri; content:"/count.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; http_uri; content:"/catalog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; http_uri; content:"/domcfg.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; http_uri; content:"/domlog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; http_uri; content:"/log.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; http_uri; content:"/names.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; http_uri; content:"/orders/checks.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////",fast_pattern,nocase; http_raw_uri; content:"////////"; metadata:ruleset community; service:http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; http_uri; content:"/PSUser/PSCOErrPage.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; http_uri; content:"/windmail.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; http_uri; content:"?wp-",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; http_uri; content:"/passwd.php3"; metadata:ruleset community; service:http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; http_uri; content:"/c32web.exe/ChangeAdminPassword",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; http_uri; content:"/webdist.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; http_uri; content:"/quikstore.cfg",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE",nocase; metadata:ruleset community; service:http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; http_uri; content:"/ws_ftp.ini",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; http_uri; content:"/rpm_query",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; http_uri; content:"/mall_log_files/order.log",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; http_uri; content:"/bigconf.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; http_uri; content:"/ews/architext_query.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; http_uri; content:"/cgi-bin/jj",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; http_uri; content:"/wwwboard.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-verify-link",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; http_uri; content:"/read.php3",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1178; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; http_uri; content:"/violation.php3",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; http_uri; content:"/get32.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; http_uri; content:"/ping?query="; metadata:ruleset community; service:http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-cs-dump",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-ver-info",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; http_uri; content:"/bizdb1-search.cgi",fast_pattern,nocase; content:"mail",nocase; metadata:ruleset community; service:http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-ver-diff",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; http_uri; content:"/slxweb.dll/admin?command=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-start-ver",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-stop-ver",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-uncheckout",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-html-rend",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; http_uri; content:"/officescan/cgi/jdkRqNotify.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/ows-bin/",nocase; content:"?&"; metadata:ruleset community; service:http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; http_uri; content:"/sojourn.cgi?",nocase; content:"cat=",distance 0,nocase; pkt_data; content:"%00",nocase; metadata:ruleset community; service:http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; http_uri; content:"/sojourn.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; http_uri; content:"/infosrch.cgi?",fast_pattern,nocase; content:"fname=",nocase; metadata:ruleset community; service:http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; http_uri; content:"/code.php3",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1197; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-usr-prop",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 ( msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:18; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL",nocase; metadata:ruleset community; service:http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17; ) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; http_stat_code; content:"403"; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1201; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; http_uri; content:"/search.vts"; metadata:ruleset community; service:http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ax-admin.cgi access"; flow:to_server,established; http_uri; content:"/ax-admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1204; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP axs.cgi access"; flow:to_server,established; http_uri; content:"/axs.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1205; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; http_uri; content:"/cachemgr.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; http_uri; content:"/htgrep"; metadata:ruleset community; service:http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; http_uri; content:"/responder.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; http_uri; content:"/.nsconfig"; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1209; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; http_uri; content:"/web-map.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1211; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; http_uri; content:"/admin_files",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1212; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP backup access"; flow:to_server,established; http_uri; content:"/backup",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1213; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP intranet access"; flow:to_server,established; http_uri; content:"/intranet/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ministats admin access"; flow:to_server,established; http_uri; content:"/ministats/admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1215; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; http_uri; content:"/filemail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP plusmail access"; flow:to_server,established; http_uri; content:"/plusmail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP adminlogin access"; flow:to_server,established; http_uri; content:"/adminlogin",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dfire.cgi access"; flow:to_server,established; http_uri; content:"/dfire.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ultraboard access"; flow:to_server,established; http_uri; content:"/ultraboard",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Muscat Empower cgi access"; flow:to_server,established; http_uri; content:"/empower?DB",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pals-cgi arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/pals-cgi",fast_pattern,nocase; content:"documentName="; metadata:ruleset community; service:http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ROADS search.pl attempt"; flow:to_server,established; http_uri; content:"/ROADS/cgi-bin/search.pl"; pkt_data; content:"form=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|",fast_pattern,fast_pattern_offset 0,fast_pattern_length 10; metadata:policy max-detect-ips drop,ruleset community; classtype:unknown; sid:1226; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD",nocase; content:"...",distance 0; pcre:"/^CWD\s[^\n]*?\.\.\./ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; http_uri; content:"/FtpSave.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; http_uri; content:"/catinfo",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 ( msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo",nocase; metadata:ruleset community; service:http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; http_uri; content:"/FtpSaveCSP.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; http_uri; content:"/FtpSaveCVP.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 ( msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; http_uri; content:"/SWEditServlet"; pkt_data; content:"template=../../../"; metadata:ruleset community; service:http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; http_uri; content:".ida",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; http_uri; content:".ida?",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; http_uri; content:".idq?",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:29; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; http_uri; content:".idq",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; http_uri; content:"/fp30reg.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:31; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; http_uri; content:"/fp4areg.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:25; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; http_uri; content:"/level/"; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:22; ) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; raw_data; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25; ) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; isdataat:200; raw_data; content:"|FF F6 FF F6 FF FB 08 FF F6|",depth 50,offset 200; metadata:ruleset community; service:telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16; ) +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; http_uri; content:"/db_mysql.inc"; metadata:ruleset community; service:http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; http_uri; content:"/root.exe",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 ( msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWEditServlet access"; flow:to_server,established; http_uri; content:"/SWEditServlet"; metadata:ruleset community; service:http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 ( msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:23; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 32771 ( msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; http_uri; content:"/exchange/LogonFrm.asp?",fast_pattern,nocase; pkt_data; content:"mailbox=",nocase; content:"%%%"; metadata:ruleset community; service:http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; http_uri; content:"/readme.eml",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS msdac access"; flow:to_server,established; http_uri; content:"/msdac/",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; http_uri; content:"/_mem_bin/",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; http_uri; content:"/_vti_bin/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:18; ) +alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|",depth 2; content:"admin.dll",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:11; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; http_uri; content:"/graphics/sml3com"; metadata:ruleset community; service:http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L",nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.php file upload attempt"; flow:to_server,established; http_uri; content:"/admin.php",fast_pattern,nocase; content:"file_name="; metadata:ruleset community; service:http; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.php access"; flow:to_server,established; http_uri; content:"/admin.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP console.exe access"; flow:to_server,established; http_uri; content:"/cgi-bin/console.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cs.exe access"; flow:to_server,established; http_uri; content:"/cgi-bin/cs.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP txt2html.cgi access"; flow:to_server,established; http_uri; content:"/txt2html.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1304; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/txt2html.cgi",fast_pattern,nocase; http_raw_uri; content:"/../../../../"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1305; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; http_uri; content:"/store.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; http_uri; content:"/sendmessage.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; http_uri; content:"/zsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 ( msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|",depth 7; content:"|FF FF FF FF 00 00|",depth 14,offset 8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; http_uri; content:".htgroup",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-activity; sid:1374; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0",depth 15; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; http_uri; content:"/?.jsp"; metadata:ruleset community; service:http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"[",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT",nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/im"; metadata:ruleset community; service:ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; http_uri; content:"/Form_VBScript.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; http_uri; content:"/officescan/cgi/jdkRqNotify.exe?",nocase; content:"domain=",nocase; content:"event=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13; ) +alert tcp any any -> any 6666:7000 ( msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG",fast_pattern,nocase; content:"nickserv",nocase; content:"IDENTIFY",nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/ims"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * ",fast_pattern,nocase; content:"LOCATION|3A|",nocase; detection_filter:track by_dst,count 10,seconds 1; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; http_uri; content:"/admin_/"; metadata:ruleset community; service:http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15; ) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13; ) +alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location",fast_pattern,nocase; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:23; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop,ruleset community; classtype:shellcode-detect; sid:1390; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; http_uri; content:"/lastlines.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22; ) +alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zml.cgi attempt"; flow:to_server,established; http_uri; content:"/zml.cgi"; pkt_data; content:"file=../"; metadata:ruleset community; service:http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1395; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zml.cgi access"; flow:to_server,established; http_uri; content:"/zml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1396; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wayboard attempt"; flow:to_server,established; http_uri; content:"/way-board/way-board.cgi"; content:"db="; http_raw_uri; content:"../.."; metadata:ruleset community; service:http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 ( msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1",depth 1,offset 10; content:!"000",depth 3,offset 11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; http_uri; content:"/index.php",fast_pattern,nocase; content:"file="; pcre:"/file=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; http_uri; content:"/scripts/samples/",nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; http_uri; content:"/msadc/samples/",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iissamples access"; flow:to_server,established; http_uri; content:"/iissamples/",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; http_uri; content:"/publisher/search.cgi",fast_pattern,nocase; content:"template=",nocase; metadata:ruleset community; service:http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; http_uri; content:"/store/agora.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; http_uri; content:"/smssend.php"; metadata:ruleset community; service:http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 ( msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; isdataat:1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:17; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 ( msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|",offset 4; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; http_uri; content:"/dcboard.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; reference:cve,2022-20918; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S; classtype:attempted-recon; gid:1; sid:1411; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"|04 06|public"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; gid:1; sid:1412; rev:23; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:20; ) +alert udp any any -> 255.255.255.255 161 ( msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:18; ) +alert udp any any -> 255.255.255.255 162 ( msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:18; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:19; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 705 ( msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:19; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 ( msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|",depth 5,offset 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; http_header; content:"Content-Disposition|3A|",nocase; pkt_data; content:"name=|22 CC CC CC CC CC|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; http_header; content:"Content-Disposition|3A|",nocase; pkt_data; content:"form-data|3B|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:14; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:13; ) +alert tcp $HOME_NET any -> 64.245.58.0/23 any ( msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|",depth 5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA",depth 8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .history access"; flow:to_server,established; http_uri; content:"/.history"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1433; rev:12; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; http_uri; content:"/.bash_history"; metadata:ruleset community; service:http; reference:bugtraq,337; reference:cve,1999-0408; reference:url,attack.mitre.org/techniques/T1139; classtype:web-application-attack; sid:1434; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:16; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1436; rev:12; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/ims"; metadata:ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:1437; rev:27; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; http_header; content:"Content-type|3A|",nocase; content:"audio/x-scpls",within 50,fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1439; rev:17; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; http_header; content:"Content-type|3A|",nocase; content:"audio/x-mpegurl",within 50,fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1440; rev:17; ) +alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|",depth 2; content:"nc.exe",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:successful-admin; sid:1441; rev:11; ) +alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|",depth 2; content:"shadow",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:successful-admin; sid:1442; rev:11; ) +alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|",depth 2; content:"passwd",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2021-1437; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aironet-info-disc-BfWqghj; classtype:successful-admin; sid:1443; rev:12; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|",depth 2; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:1444; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR",nocase; content:"file_id.diz",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:1445; rev:9; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy",nocase; content:"root",distance 1,nocase; pcre:"/^vrfy\s+root/ims"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; classtype:attempted-recon; sid:1446; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|",depth 11; metadata:ruleset community; service:rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|",depth 3; content:"|E0 00 00 00 00 00|",depth 6,offset 5; metadata:ruleset community; service:rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn",fast_pattern,nocase; content:"*@"; pcre:"/^expn\s+\*@/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP NPH-maillist access"; flow:to_server,established; http_uri; content:"/nph-maillist.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP args.cmd access"; flow:to_server,established; http_uri; content:"/args.cmd",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AT-generated.cgi access"; flow:to_server,established; http_uri; content:"/AT-generated.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwwais access"; flow:to_server,established; http_uri; content:"/wwwwais",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar.pl access"; flow:to_server,established; http_uri; content:"calendar",nocase; pcre:"/calendar(|[-_]admin)\.pl/i"; metadata:ruleset community; service:http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calender_admin.pl access"; flow:to_server,established; http_uri; content:"/calender_admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP user_update_admin.pl access"; flow:to_server,established; http_uri; content:"/user_update_admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP user_update_passwd.pl access"; flow:to_server,established; http_uri; content:"/user_update_passwd.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-histlog.sh access"; flow:to_server,established; http_uri; content:"/bb-histlog.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; http_uri; content:"/bb-histsvc.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; http_uri; content:"/bb-rep.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; http_uri; content:"/bb-replog.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17; ) +alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC message"; flow:established; isdataat:!139; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:16; ) +alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; http_uri; content:"/auktion.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; http_uri; content:"/cgiforum.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP directorypro.cgi access"; flow:to_server,established; http_uri; content:"/directorypro.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-activity; sid:1467; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established; http_uri; content:"/shopper.cgi",fast_pattern,nocase; pkt_data; content:"newpage=../",nocase; metadata:ruleset community; service:http; reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Web Shopper shopper.cgi access"; flow:to_server,established; http_uri; content:"/shopper.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP listrec.pl access"; flow:to_server,established; http_uri; content:"/listrec.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailnews.cgi access"; flow:to_server,established; http_uri; content:"/mailnews.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP book.cgi access"; flow:to_server,established; http_uri; content:"/book.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP newsdesk.cgi access"; flow:to_server,established; http_uri; content:"/newsdesk.cgi",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; http_uri; content:"/cal_make.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; http_uri; content:"/mailit.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; http_uri; content:"/sdbsearch.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; http_uri; content:"/swc",nocase; content:"ctr=",distance 0,nocase; http_raw_uri; bufferlen:>500; metadata:ruleset community; service:http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user; sid:1478; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi",nocase; content:"pg=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; http_uri; content:"/ttawebtop.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; http_uri; content:"/upload.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; http_uri; content:"/view_source",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; http_uri; content:"/ustorekeeper.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; http_uri; content:"/mkilog.exe",nocase; metadata:ruleset community; service:http; reference:nessus,10359; classtype:web-application-activity; sid:1485; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; http_uri; content:"/ctss.idc",nocase; metadata:ruleset community; service:http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/aexp2.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/store.cgi",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; http_uri; content:"/~nobody"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; http_uri; content:"/support/common.php"; pkt_data; content:"ForumLang=../"; metadata:ruleset community; service:http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; http_uri; content:"/support/common.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP RBS ISP /newuser directory traversal attempt"; flow:to_server,established; http_uri; content:"/newuser?Image=../.."; metadata:ruleset community; service:http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP RBS ISP /newuser access"; flow:to_server,established; http_uri; content:"/newuser"; metadata:ruleset community; service:http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; http_uri; content:"/generate.cgi"; pkt_data; content:"content=../"; metadata:ruleset community; service:http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; http_uri; content:"/generate.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; http_uri; content:"/spin_client.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 ( msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community; service:http; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:11; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; http_uri; content:"/exair/search/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/a1disp3.cgi?",fast_pattern,nocase; http_raw_uri; content:"/../../"; metadata:ruleset community; service:http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; http_uri; content:"/a1disp3.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; http_uri; content:"/admentor/admin/admin.asp"; metadata:ruleset community; service:http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15; ) +alert udp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/PRN/",fast_pattern; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/NUL/",fast_pattern; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/alibaba.pl|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alibaba.pl access"; flow:to_server,established; http_uri; content:"/alibaba.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; http_uri; content:"/query?mss=..",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/test.bat|7C|"; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.bat access"; flow:to_server,established; http_uri; content:"/test.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/input.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input.bat access"; flow:to_server,established; http_uri; content:"/input.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input2.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/input2.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; http_uri; content:"/input2.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/envout.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; http_uri; content:"/envout.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 ( msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community; service:http; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:13; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; http_uri; content:"/?M=D"; metadata:ruleset community; service:http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; http_uri; content:"/server-info",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; http_uri; content:"/server-status"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:14; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; http_uri; content:"/ans.pl?",nocase; content:"p=../../",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; http_uri; content:"/ans.pl"; metadata:ruleset community; service:http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community; service:http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Axis Storpoint CD access"; flow:to_server,established; http_uri; content:"/config/html/cnf_gi.htm"; metadata:ruleset community; service:http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP basilix sendmail.inc access"; flow:to_server,established; http_uri; content:"/inc/sendmail.inc"; metadata:ruleset community; service:http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:16; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP basilix mysql.class access"; flow:to_server,established; http_uri; content:"/class/mysql.class"; metadata:ruleset community; service:http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BBoard access"; flow:to_server,established; http_uri; content:"/servlet/sunexamples.BBoardServlet"; metadata:ruleset community; service:http; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE",nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hist.sh attempt"; flow:to_server,established; http_uri; content:"/bb-hist.sh?",nocase; content:"HISTFILE=../..",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hostscv.sh attempt"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh?",fast_pattern,nocase; content:"HOSTSVC",nocase; http_raw_uri; content:"../..",distance 0; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:21; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hostscv.sh access"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:19; ) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP agora.cgi attempt"; flow:to_server,established; http_uri; content:"/store/agora.cgi?",nocase; content:"cart_id= $HOME_NET any ( msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:to_client,established; file_data; content:"setTimeout|28|",nocase; content:"|5C|x",within 10,nocase; content:"|5C|x",within 10,nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:6; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:to_client,established; file_data; content:"addEventListener|28|",nocase; content:"|5C|x",within 10,nocase; content:"|5C|x",within 10,nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:6; ) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|",depth 2,offset 6; metadata:ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:6; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:9; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:11; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|",depth 4; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23651; rev:15; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|",depth 8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23652; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23653; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23654; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23655; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23656; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23657; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23664; rev:17; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23667; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt",fast_pattern,nocase; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23670; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23678; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23707; rev:16; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|",within 4,distance 16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23708; rev:7; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23711; rev:14; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23725; rev:12; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23758; rev:10; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:" $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|",depth 4; content:"|20|EMF",within 4,distance 36,fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23766; rev:12; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:",fast_pattern,nocase; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23773; rev:9; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|",fast_pattern,nocase; content:".asp?"; content:"mac=",within 4; content:"&ver=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; http_uri; content:"/data.php?action=",nocase; content:"&m=",distance 0,nocase; content:"&p=",distance 0,nocase; content:"&n=",distance 0,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/Rs"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:24253; rev:7; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/Rs"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:24254; rev:7; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET 84 ( msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src,count 1,seconds 120; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:6; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|",depth 9,offset 4; content:"|00 00|",within 2,distance 13; content:"|FF|",within 1,distance 9; content:"NTLMSSP|00 03 00 00 00|",within 100; content:"|00 00 00 00 48 00 00 00|",within 8,distance 24,fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:9; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:24455; rev:12; ) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:24456; rev:12; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:24457; rev:11; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:24458; rev:11; ) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server,established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"|2F|Config|2E|txt",fast_pattern,nocase; http_header; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; http_uri; content:".php?ip="; content:"&os=",distance 0; content:"&name=",distance 0; content:"&id=",distance 0; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] ( msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|",depth 9,offset 4; byte_test:1,!&,0x80,0,relative; content:"|01 00|",within 2,distance 52; byte_jump:2,-10,relative,from_beginning,little,post_offset 10; content:"|04 01|",within 2; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:6; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11<=>20; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept|2D|Language|3A|"; content:!"|0D 0A|Referer|3A|"; content:!"|0D 0A|Cookie|3A|"; http_client_body; content:!"Content-Disposition"; pkt_data; content:"Content-Length: ",nocase; byte_test:8,<,369,0,relative,string; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25050; rev:9; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:",fast_pattern,nocase; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25054; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; http_raw_uri; bufferlen:52; http_header; content:"/s/?k=",fast_pattern,nocase; http_uri; pcre:"/^\x2f[a-z0-9]{51}$/i"; http_header; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/i"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:25224; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:12; http_uri; content:"/a/image.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25256; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bin/check.php?cv="; http_header; content:"ThIs_Is_tHe_bouNdaRY_$",fast_pattern; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; http_uri; content:"/file.aspx?file=",fast_pattern,nocase; http_header; content:"ksp/WS"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; http_uri; content:".gif"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; http_header; content:"From|3A|"; content:"Via|3A|"; http_raw_uri; bufferlen:13; http_uri; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; http_uri; content:"/default.aspx?ver="; content:"&uid=",distance 0; http_header; content:"|3B 20|MRA|20|5.10|20|"; http_uri; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:25271; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt",fast_pattern,nocase; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:3; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; http_header; content:"Acunetix-",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25358; rev:6; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; http_uri; content:"/acunetix-wvs-test-for-some-inexistent-file",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25359; rev:4; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; http_uri; content:"password=g00dPa$$w0rD",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25360; rev:4; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; http_uri; content:"src=/testasp.vulnweb.com/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25361; rev:4; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; http_uri; content:"PHNjcmlwdD",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25362; rev:4; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; http_uri; content:"http:/www.acunetix.com",fast_pattern,nocase; http_header; content:"Acunetix-",nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25363; rev:5; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; http_uri; content:"|00|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg",fast_pattern,nocase; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26814; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; http_raw_uri; bufferlen:<75; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"op=IncluirAvisos&",fast_pattern,nocase; content:"HostBD=",depth 7,offset 17; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; http_raw_uri; bufferlen:30; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)",fast_pattern,nocase; content:"Host: www.google.com"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C 5C 5C|>IDLE<|5C 5C 5C|>",depth 18; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26837; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26838; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; http_client_body; content:"macName=",depth 60; content:"&macOS=",within 100; content:"&macMac=",within 200; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26842; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Content-Length: 128|0D 0A|",fast_pattern,nocase; pkt_data; content:" HTTP/1."; content:"|0D 0A|User-Agent: ",within 14,distance 1; http_header; content:!"|0D 0A|Accept"; http_client_body; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26910; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act=",fast_pattern,nocase; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>",fast_pattern,nocase; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26923; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<=>260; pkt_data; content:"= HTTP/1.",fast_pattern,nocase; http_uri; content:".php?"; http_header; content:!"Accept"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26924; rev:3; ) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; http_uri; content:"convert|28|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=atom.jar",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=site.jar",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:ruleset community; service:http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; isdataat:141; isdataat:!142; http_raw_uri; bufferlen:8; http_uri; content:"/u5.htm",fast_pattern,nocase; http_raw_uri; content:"//u5.htm"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"data.php"; http_client_body; content:"|0D 0A|URL: ",fast_pattern,nocase; content:"Content-Disposition: form-data|3B| name="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php?version="; content:"&user=",distance 0; content:"&server=",distance 0; content:"&name=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2=",fast_pattern,nocase; http_cookie; content:"cache=cc2="; http_header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; http_uri; content:"rawin.php?b="; content:"&v=1.",distance 0; pcre:"/\.php\?b=[A-F0-9]+&v=1\./"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26985; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; http_header; content:"Content-Length: 150|0D 0A|",fast_pattern,nocase; file_data; content:"|0D 0A|",depth 2,offset 4; content:"|0D 0A|",within 2,distance 4; content:"|0D 0A|",within 2,distance 4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:ruleset community; service:http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; http_uri; content:"/jorg.html",fast_pattern,nocase; pcre:"/\/jorg\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; http_uri; content:"/jlnp.html",fast_pattern,nocase; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; http_uri; content:"/jovf.html",fast_pattern,nocase; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; http_header; content:"User-Agent: pb|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; http_header; content:"filename="; content:"security_cleaner.exe",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:27047; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class",distance 0; content:"|00|inc.class",distance 0; content:"|00|fdp.class",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27085; rev:3; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27086; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:trojan-activity; sid:27110; rev:7; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; pcre:"/\&k=\d+($|\&h=)/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; http_uri; content:".php?"; http_header; content:"content-type: application/"; content:" Java/1"; http_uri; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/i"; metadata:policy balanced-ips alert,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; http_uri; content:"/?",depth 2; content:"h=NT",fast_pattern,nocase; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; http_header; content:"|3B 20|MSIE 28|3B 20|",fast_pattern,nocase; content:"User-Agent"; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:2; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; http_client_body; content:"ps0=",depth 4; content:"ps1=",distance 0; content:"cs1=",distance 0; content:"cs2=",distance 0; content:"cs3=",distance 0; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27201; rev:5; ) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; http_header; content:"User-Agent|3A| SEX|2F|1",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:4; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|",fast_pattern,nocase; content:".com.br",nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27204; rev:1; ) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"