alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 ( msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; classtype:misc-activity; sid:108; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 ( msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10; )
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|",depth 6; content:"|05 00|",depth 2,offset 8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Infector.1.x"; flow:to_client,established; content:"WHATISIT",depth 9; metadata:impact_flag red,ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17; )
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| ",depth 11,nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands",distance 0,nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12; )
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:to_client,established; content:"Wtzup Use",depth 32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11; )
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 ( msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14; )
alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:to_client,established; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER",nocase; content:"w0rm",distance 1,nocase; pcre:"/^USER\s+w0rm/ims"; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:144; rev:16; )
alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetSphere access"; flow:to_client,established; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13; )
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR GateCrasher"; flow:to_client,established; content:"GateCrasher",depth 11,nocase; content:"Server",distance 0,nocase; content:"On-Line...",distance 0,nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:12; )
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:to_client,established; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9; )
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10; )
alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10; )
alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10; )
alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:AS,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca",depth 15,nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10; )
alert udp $HOME_NET 2140 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:15; )
alert tcp $HOME_NET 555 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:to_client,established; content:"phAse zero server",depth 17,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:13; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor",nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh[",nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] ( msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13; )
alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12; )
alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:to_server,established; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:to_server,established; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:to_server,established; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 27444 ( msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 18753 ( msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 20433 ( msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 6838 ( msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 ( msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8; )
alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8; )
alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; classtype:bad-unknown; sid:253; rev:15; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|",depth 4,offset 2,fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|",within 4,distance 4; content:"|C0 0C 00 01 00 01|",distance 0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community; service:dns; classtype:bad-unknown; gid:1; sid:254; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|",depth 8,offset 6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|",fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:24; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:262; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:264; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:265; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:266; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:267; rev:13; )
alert udp any 19 <> any 7 ( msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:12; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 9 ( msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME",depth 50,offset 25; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:13; )
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:287; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:288; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 ( msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|    |02|a"; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:24; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 ( msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//",nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 ( msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1",nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 ( msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12; )
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community; service:ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; isdataat:512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 518 ( msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f",nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A|     ",depth 10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:334; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:335; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD",nocase; content:"~root",distance 1,nocase; pcre:"/^CWD\s+~root/ims"; metadata:ruleset community; service:ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL",nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:353; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:354; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:355; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR",nocase; content:"passwd"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:356; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:358; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:359; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20.",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE",nocase; content:"EXEC",distance 0,nocase; pcre:"/^SITE\s+EXEC/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program ",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del",depth 32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So",depth 32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop",depth 32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================",depth 32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad",depth 32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04|              ",depth 32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop",depth 16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?",depth 100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim",depth 32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw",depth 32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc.",depth 32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s*\n/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:unknown; sid:489; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community; service:smtp; classtype:policy-violation; sid:490; rev:12; )
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 ",fast_pattern,nocase; pcre:"/^530\s+(Login|User)/ims"; metadata:ruleset community; service:ftp; classtype:bad-unknown; sid:491; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed",nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:492; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed",fast_pattern,nocase; pcre:"/^Command\s+?completed\b/ms"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:21; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename",nocase; metadata:ruleset community; service:http; classtype:bad-unknown; sid:495; rev:14; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21; )
alert ip any any -> any any ( msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 ( msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>",depth 16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 ( msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 70 ( msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|",fast_pattern,nocase; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc",depth 36,nocase; metadata:ruleset community; service:http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12; )
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any ( msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login",depth 16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 ( msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET ",depth 8,nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 177 ( msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|",depth 2; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:"..",offset 2; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2007-0888; reference:cve,2011-4722; classtype:bad-unknown; gid:1; sid:519; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/",depth 3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:to_server,established; dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:"15"; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,dce,align; content:"|00 00 00 00|",within 4,distance 8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9; )
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A|",nocase; content:"text/plain",distance 1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; isdataat:!139; content:"NICK ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:542; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:543; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:544; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:545; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:546; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD  ' possible warez site"; flow:to_server,established; content:"MKD  ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:547; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD .",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:548; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/ims"; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:553; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:554; rev:10; )
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any ( msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT",depth 40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK",depth 40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0",depth 5; content:".0",depth 2,offset 7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 5632 ( msg:"APP-DETECT PCAnywhere server response"; content:"ST",depth 2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10; )
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL SMTP relaying denied"; flow:to_client,established; content:"550 5.7.1",depth 70; metadata:ruleset community; service:smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|",depth 32,offset 16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:575; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:577; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:578; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:579; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:21; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:582; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:583; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:20; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:585; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:587; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:27; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:589; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 ( msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:601; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-user; sid:602; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:603; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:15; )
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:unsuccessful-user; sid:605; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|",depth 11; stream_size:1,to_client; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; classtype:attempted-admin; gid:1; sid:606; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|",fast_pattern,nocase; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:610; rev:17; )
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied.",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:unsuccessful-user; sid:611; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:12; )
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any ( msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11; )
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 ( msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A",depth 1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 ( msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; isdataat:!0; flags:12FS; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:12AP; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:12FSU; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:FS; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:631; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:632; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 ( msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 49 ( msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 7 ( msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:13; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:647; rev:15; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:shellcode-detect; sid:648; rev:18; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:649; rev:15; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:650; rev:15; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|",nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:29; )
alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP",nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn",nocase; content:"decode",fast_pattern,nocase; pcre:"/^expn\s+decode/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn",nocase; content:"root",fast_pattern,nocase; pcre:"/^expn\s+root/ims"; metadata:ruleset community; service:smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|",fast_pattern,nocase; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|",nocase; content:"decode",distance 0,nocase; pcre:"/^rcpt to\:\s*decode/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy",nocase; content:"decode",distance 1,nocase; pcre:"/^vrfy\s+decode/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10; )
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:18; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",depth 32,offset 32,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD",fast_pattern,nocase; content:"bin/sh"; metadata:ruleset community; service:telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; raw_data; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:attempted-admin; sid:715; rev:14; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:717; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:718; rev:16; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:suspicious-login; sid:719; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/hsx.cgi"; http_raw_uri; content:"../../"; content:"%00",distance 1; metadata:ruleset community; service:http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; http_uri; content:"/s.cgi",fast_pattern,nocase; content:"tmpl="; metadata:ruleset community; service:http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; http_uri; content:"/wsisa.dll/WService=",fast_pattern,nocase; content:"WSMadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; http_uri; content:"/YaBB",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; http_uri; content:"/wwwboard/passwd.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; http_uri; content:"/webdriver",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/whois_raw.cgi?"; pkt_data; content:"|0A|"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; reference:url,attack.mitre.org/techniques/T1065; classtype:web-application-attack; sid:809; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; http_uri; content:"/whois_raw.cgi"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1.",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; http_uri; content:"/webplus?about",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; http_uri; content:"/websendmail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; http_uri; content:"/dcboard.cgi"; pkt_data; content:"command=register"; content:"%7cadmin"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; http_uri; content:"/dcforum.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; http_uri; content:"/mmstdod.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; http_uri; content:"/apexec.pl"; pkt_data; content:"template=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; http_uri; content:"/imagemap.exe?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; http_uri; content:"/cvsweb.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; http_uri; content:"/php.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; http_uri; content:"/glimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; http_uri; content:"/htmlscript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; http_uri; content:"/info2www",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; http_uri; content:"/maillist.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:828; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; http_uri; content:"/nph-test-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; http_uri; content:"/perl.exe",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; http_uri; content:"/rguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; http_uri; content:"/rwwwshell.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; http_uri; content:"/test-cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; http_uri; content:"/textcounter.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; http_uri; content:"/uploader.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; http_uri; content:"/webgais",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP finger access"; flow:to_server,established; http_uri; content:"/finger",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; http_uri; content:"/perlshop.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; http_uri; content:"/aglimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; http_uri; content:"/AnForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; http_uri; content:"/args.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; http_uri; content:"/AT-admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; http_uri; content:"/bnbform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP campas access"; flow:to_server,established; http_uri; content:"/campas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; http_uri; content:"/wais.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:850; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; http_uri; content:"/files.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; http_uri; content:"/wguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; http_uri; content:"/wrap"; metadata:ruleset community; service:http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; http_uri; content:"/classifieds.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; http_uri; content:"/environ.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:856; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; http_uri; content:"/faxsurvey",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; http_uri; content:"/filemail.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; http_uri; content:"/man.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; http_uri; content:"/snork.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; http_uri; content:"/w3-msql/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csh access"; flow:to_server,established; http_uri; content:"/csh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; http_uri; content:"/day5datacopier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; http_uri; content:"/day5datanotifier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; http_uri; content:"/ksh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; http_uri; content:"/post-query",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; http_uri; content:"/visadmin.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; http_uri; content:"/rsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; http_uri; content:"/dumpenv.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; http_uri; content:"/snorkerz.cmd",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:870; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; http_uri; content:"/survey.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; http_uri; content:"/tcsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; http_uri; content:"/win-c-sample.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; http_uri; content:"/rksh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; http_uri; content:"/w3tvars.pm",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:878; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; http_uri; content:"/admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; http_uri; content:"/LWGate",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP archie access"; flow:to_server,established; http_uri; content:"/archie",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:881; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; http_uri; content:"/calendar",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:882; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; http_uri; content:"/flexform",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bash access"; flow:to_server,established; http_uri; content:"/bash",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phf access"; flow:to_server,established; http_uri; content:"/phf",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; http_uri; content:"/www-sql",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; http_uri; content:"/wwwadmin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:888; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; http_uri; content:"/ppdscgi.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; http_uri; content:"/sendform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; http_uri; content:"/upload.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:891; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; http_uri; content:"/AnyForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; http_uri; content:"/bb-hist.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; http_uri; content:"/redirect",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; http_uri; content:"/way-board",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; http_uri; content:"/pals-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; http_uri; content:"/commerce.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; http_uri; content:"/sendtemp.pl",fast_pattern,nocase; content:"templ=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; http_uri; content:"tstisapi.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; http_uri; content:"/cfcache.map",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/getfile.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; http_uri; content:"/cfide/administrator/index.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/fileexists.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/exprcalc.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/parks/detail.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; http_uri; content:"/cfappman/index.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/cvbeans/beaninfo.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/evaluate.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/displayopenedfile.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/mainframeset.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/cfmlsyntaxcheck.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/application.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; http_uri; content:"/onrequestend.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; http_uri; content:"/cfide/administrator/startstop.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; http_uri; content:"/cfdocs/snippets/gettempdirectory.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; http_uri; content:"/_vti_rpc",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; http_uri; content:"/author.dll",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:29; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; http_uri; content:"/admcgi/contents.htm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:941; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; http_uri; content:"/_private/orders.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:942; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; http_uri; content:"/fpsrvadm.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:943; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; http_uri; content:"/fpremadm.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:944; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; http_uri; content:"/admisapi/fpadmin.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:945; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; http_uri; content:"/scripts/Fpadmcgi.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:946; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; http_uri; content:"/_private/orders.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:947; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; http_uri; content:"/_private/form_results.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; http_uri; content:"/_private/registrations.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:949; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; http_uri; content:"/cfgwiz.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:950; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; http_uri; content:"/authors.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/_vti_aut/author.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:952; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; http_uri; content:"/administrators.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1205; reference:cve,2002-1717; classtype:web-application-activity; sid:953; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; http_uri; content:"/_private/form_results.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/access.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; http_uri; content:"/_private/register.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:956; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; http_uri; content:"/_private/registrations.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:957; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; http_uri; content:"/service.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.stp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:960; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/services.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/svcacl.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; http_uri; content:"/users.pwd",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:964; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/writeto.cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; http_uri; content:"..../"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; http_uri; content:"/dvwssr.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; http_uri; content:"/_private/register.htm",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; classtype:web-application-activity; sid:968; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK ",depth 5; metadata:ruleset community; service:http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; http_uri; content:".printer",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; http_uri; content:"/*.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|..",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; http_uri; content:".asp|3A 3A 24|DATA",nocase; metadata:ruleset community; service:http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,docs.microsoft.com/en-us/security-updates/securitybulletins/1998/ms98-003; classtype:web-application-attack; sid:975; rev:27; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; http_uri; content:".bat?",fast_pattern,nocase; content:"/cgi-bin/",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:cve,2019-0232; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cnf access"; flow:to_server,established; http_uri; content:".cnf",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none",nocase; content:"&CiHiliteType=Full",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; http_uri; content:".htw?CiWebHitsFile",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; http_uri; content:"/scripts/CGImail.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/ctguestb.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/details.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MSProxy access"; flow:to_server,established; http_uri; content:"/scripts/proxy/w3proxy.dll",nocase; metadata:ruleset community; service:http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; http_uri; content:".htr",fast_pattern,nocase; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/ims"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:32; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; http_uri; content:"/sensepost.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; http_uri; content:"/_vti_inf.html",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2002-1717; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS achg.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/achg.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; http_uri; content:"/msadc/samples/adctest.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:992; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmin access"; flow:to_server,established; http_uri; content:"/iisadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/default.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:994; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/ism.dll?http/dir",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS anot.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/anot",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; http_uri; content:".asp.",nocase; metadata:ruleset community; service:http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; http_uri; content:"|23|filename=*.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:998; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; http_uri; content:"/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; http_uri; content:"/carbo.dll"; pkt_data; content:"icatcommand=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1002; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1003; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; http_uri; content:"/iissamples/exair/howitworks/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; http_uri; content:"/iissamples/sdk/asp/docs/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; http_uri; content:"/Form_JScript.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1008; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS directory listing"; flow:to_server,established; http_uri; content:"/ServerVariables_Jscript.asp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1011; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; http_uri; content:"/fpcount.exe",fast_pattern,nocase; pkt_data; content:"Digits=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount access"; flow:to_server,established; http_uri; content:"/fpcount.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/getdrvs.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1015; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS global.asa access"; flow:to_server,established; http_uri; content:"/global.asa",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; http_uri; content:"/iisadmpwd/aexp",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; http_uri; content:"CiWebHitsFile=",nocase; pkt_data; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; http_uri; content:"CiRestriction=none",fast_pattern,nocase; content:"ciHiliteType=Full",nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; http_uri; content:".idc|3A 3A 24|data",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; http_uri; content:" .htr",nocase; pcre:"/\s{230,}\.htr/"; metadata:ruleset community; service:http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS jet vba access"; flow:to_server,established; http_uri; content:"/advworks/equipment/catalog_type.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; http_uri; content:"/msadcs.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/newdsn.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl access"; flow:to_server,established; http_uri; content:"/scripts/perl",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1025; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; http_uri; content:"|0A|.pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; http_uri; content:" .pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS query.asp access"; flow:to_server,established; http_uri; content:"/issamples/query.asp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ ",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS search97.vts access"; flow:to_server,established; http_uri; content:"/search97.vts"; metadata:ruleset community; service:http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; http_uri; content:"/SiteServer/Publishing/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; http_uri; content:"/showcode.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site server config access"; flow:to_server,established; http_uri; content:"/adsamples/config/site.csc",nocase; metadata:ruleset community; service:http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srch.htm access"; flow:to_server,established; http_uri; content:"/samples/isapi/srch.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1039; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srchadm access"; flow:to_server,established; http_uri; content:"/srchadm",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; http_uri; content:"/scripts/uploadn.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS view source via translate header"; flow:to_server,established; http_header; content:"Translate|3A| F",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; http_uri; content:"/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS webhits access"; flow:to_server,established; http_uri; content:".htw"; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1045; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; http_uri; content:"/site/iisamples",nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / ",depth 9; metadata:ruleset community; service:http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX ",depth 6; metadata:ruleset community; service:http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES",depth 13; metadata:ruleset community; service:http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/main.cgi",fast_pattern,nocase; pkt_data; content:"filename=",nocase; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/print.cgi",fast_pattern,nocase; pkt_data; content:"board=",nocase; http_raw_uri; content:"../../"; content:"%00"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; http_uri; content:"/ads.cgi",fast_pattern,nocase; pkt_data; content:"file=",nocase; http_raw_uri; content:"../../"; http_uri; content:"|7C|"; metadata:ruleset community; service:http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; http_uri; content:".jsp",nocase; pkt_data; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/ims"; metadata:ruleset community; service:http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; http_uri; content:"%252ejsp"; metadata:ruleset community; service:http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1057; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1058; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1059; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1060; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1062; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1064; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; http_uri; content:"rcmd.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1065; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1066; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1067; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1068; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1069; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH ",depth 8,nocase; metadata:ruleset community; service:http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htpasswd access attempt"; flow:to_server,established; http_uri; content:".htpasswd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:1071; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; http_uri; content:".nsf/"; content:"../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; http_uri; content:"/scripts/samples/search/webhits.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; http_uri; content:"/scripts/postinfo.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS repost.asp access"; flow:to_server,established; http_uri; content:"/scripts/repost.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL queryhit.htm access"; flow:to_server,established; http_uri; content:"/samples/search/queryhit.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL counter.exe access"; flow:to_server,established; http_uri; content:"/counter.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind",nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/Ri"; metadata:ruleset community; service:http; reference:bugtraq,1656; reference:cve,2000-0869; reference:cve,2003-0718; reference:nessus,10505; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-030; classtype:web-application-activity; sid:1079; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; http_uri; content:"/servlet/com.unify.servletexec.UploadServlet",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; http_uri; content:"/dsgw/bin/search?context=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; http_uri; content:"/servlet/ServletExec",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; http_uri; content:"servlet/.......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community; service:http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; http_uri; content:"?STRENGUR",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; http_uri; content:"/web_store.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/shop.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; http_uri; content:"/authenticate.cgi?PASSWORD",fast_pattern,nocase; pkt_data; content:"config.ini"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; classtype:web-application-attack; sid:1090; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; http_uri; content:"??????????",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"keys",distance 0,nocase; pkt_data; content:"catigory=../",nocase; metadata:ruleset community; service:http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/cached_feed.cgi"; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"script=test.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"about",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; http_uri; content:"/webplus.cgi?",nocase; content:"Script=/webplus/webping/webping.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; http_uri; content:"_private/shopping_cart.mdb",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; http_uri; content:"/cybercop",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1099; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Java1.2.1|0D 0A|"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; http_uri; content:"/nessus_is_probing_you_",depth 32; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1102; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; http_uri; content:"/admin-serv/config/admpw",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh?",nocase; content:"HOSTSVC",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; http_uri; content:"/pollit/Poll_It_SSI_v2.0.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; http_uri; content:"/ftp.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; http_uri; content:"/jsp/snp/"; content:".snp"; metadata:ruleset community; service:http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; http_uri; content:"/%00"; metadata:ruleset community; service:http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; http_uri; content:"/site/eg/source.asp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; http_uri; content:"/contextAdmin/contextAdmin.html",nocase; metadata:ruleset community; service:http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; http_uri; content:".html/......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; http_uri; content:"?DeleteDocument",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1116; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; http_uri; content:"?EditDocument",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1118; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; http_uri; content:"/mlog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; http_uri; content:"/mylog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; http_uri; content:"/etc/passwd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:1122; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; http_uri; content:"?PageServices",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; http_uri; content:"/config/check.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1124; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; http_uri; content:"/webcart/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; http_uri; content:"_AuthChangeUrl?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; http_uri; content:"/scripts/convert.bas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; http_uri; content:"/scripts/cpshost.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; http_uri; content:".htaccess",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-recon; sid:1129; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".wwwacl",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1130; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".www_acl",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1131; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 457 ( msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:FPS; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; http_uri; content:"/admin.php3",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd..",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1136; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; http_uri; content:"/guestbook.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP handler access"; flow:to_server,established; http_uri; content:"/handler",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1142; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP root access"; flow:to_server,established; http_uri; content:"/~root",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:1145; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/config/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1146; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; http_uri; content:"cat ",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/orders/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1148; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; http_uri; content:"/count.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; http_uri; content:"/catalog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; http_uri; content:"/domcfg.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; http_uri; content:"/domlog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; http_uri; content:"/log.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; http_uri; content:"/names.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; http_uri; content:"/orders/checks.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////",fast_pattern,nocase; http_raw_uri; content:"////////"; metadata:ruleset community; service:http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; http_uri; content:"/PSUser/PSCOErrPage.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; http_uri; content:"/windmail.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; http_uri; content:"?wp-",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; http_uri; content:"/passwd.php3"; metadata:ruleset community; service:http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; http_uri; content:"/c32web.exe/ChangeAdminPassword",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; http_uri; content:"/webdist.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; http_uri; content:"/quikstore.cfg",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE",nocase; metadata:ruleset community; service:http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; http_uri; content:"/ws_ftp.ini",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; http_uri; content:"/rpm_query",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; http_uri; content:"/mall_log_files/order.log",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; http_uri; content:"/bigconf.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; http_uri; content:"/ews/architext_query.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; http_uri; content:"/cgi-bin/jj",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; http_uri; content:"/wwwboard.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-verify-link",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; http_uri; content:"/read.php3",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1178; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; http_uri; content:"/violation.php3",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; http_uri; content:"/get32.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; http_uri; content:"/ping?query="; metadata:ruleset community; service:http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-cs-dump",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-ver-info",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; http_uri; content:"/bizdb1-search.cgi",fast_pattern,nocase; content:"mail",nocase; metadata:ruleset community; service:http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-ver-diff",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; http_uri; content:"/slxweb.dll/admin?command=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-start-ver",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-stop-ver",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-uncheckout",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-html-rend",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; http_uri; content:"/officescan/cgi/jdkRqNotify.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/ows-bin/",nocase; content:"?&"; metadata:ruleset community; service:http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; http_uri; content:"/sojourn.cgi?",nocase; content:"cat=",distance 0,nocase; pkt_data; content:"%00",nocase; metadata:ruleset community; service:http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; http_uri; content:"/sojourn.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; http_uri; content:"/infosrch.cgi?",fast_pattern,nocase; content:"fname=",nocase; metadata:ruleset community; service:http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; http_uri; content:"/code.php3",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1197; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; http_uri; content:"?wp-usr-prop",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 ( msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:18; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL",nocase; metadata:ruleset community; service:http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; http_stat_code; content:"403"; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1201; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; http_uri; content:"/search.vts"; metadata:ruleset community; service:http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ax-admin.cgi access"; flow:to_server,established; http_uri; content:"/ax-admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1204; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP axs.cgi access"; flow:to_server,established; http_uri; content:"/axs.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1205; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; http_uri; content:"/cachemgr.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; http_uri; content:"/htgrep"; metadata:ruleset community; service:http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; http_uri; content:"/responder.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; http_uri; content:"/.nsconfig"; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1209; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; http_uri; content:"/web-map.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1211; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; http_uri; content:"/admin_files",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1212; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP backup access"; flow:to_server,established; http_uri; content:"/backup",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1213; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP intranet access"; flow:to_server,established; http_uri; content:"/intranet/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ministats admin access"; flow:to_server,established; http_uri; content:"/ministats/admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1215; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; http_uri; content:"/filemail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP plusmail access"; flow:to_server,established; http_uri; content:"/plusmail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP adminlogin access"; flow:to_server,established; http_uri; content:"/adminlogin",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dfire.cgi access"; flow:to_server,established; http_uri; content:"/dfire.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ultraboard access"; flow:to_server,established; http_uri; content:"/ultraboard",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Muscat Empower cgi access"; flow:to_server,established; http_uri; content:"/empower?DB",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pals-cgi arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/pals-cgi",fast_pattern,nocase; content:"documentName="; metadata:ruleset community; service:http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ROADS search.pl attempt"; flow:to_server,established; http_uri; content:"/ROADS/cgi-bin/search.pl"; pkt_data; content:"form=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|",fast_pattern,fast_pattern_offset 0,fast_pattern_length 10; metadata:policy max-detect-ips drop,ruleset community; classtype:unknown; sid:1226; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD",nocase; content:"...",distance 0; pcre:"/^CWD\s[^\n]*?\.\.\./ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; http_uri; content:"/FtpSave.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; http_uri; content:"/catinfo",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 ( msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo",nocase; metadata:ruleset community; service:http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; http_uri; content:"/FtpSaveCSP.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; http_uri; content:"/FtpSaveCVP.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 ( msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; http_uri; content:"/SWEditServlet"; pkt_data; content:"template=../../../"; metadata:ruleset community; service:http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; http_uri; content:".ida",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; http_uri; content:".ida?",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; http_uri; content:".idq?",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:29; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; http_uri; content:".idq",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; http_uri; content:"/fp30reg.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:31; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; http_uri; content:"/fp4areg.dll",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; http_uri; content:"/level/"; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:22; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; raw_data; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; isdataat:200; raw_data; content:"|FF F6 FF F6 FF FB 08 FF F6|",depth 50,offset 200; metadata:ruleset community; service:telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16; )
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; http_uri; content:"/db_mysql.inc"; metadata:ruleset community; service:http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; http_uri; content:"/root.exe",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 ( msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWEditServlet access"; flow:to_server,established; http_uri; content:"/SWEditServlet"; metadata:ruleset community; service:http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 ( msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 32771 ( msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; http_uri; content:"/exchange/LogonFrm.asp?",fast_pattern,nocase; pkt_data; content:"mailbox=",nocase; content:"%%%"; metadata:ruleset community; service:http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; http_uri; content:"/readme.eml",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS msdac access"; flow:to_server,established; http_uri; content:"/msdac/",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; http_uri; content:"/_mem_bin/",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; http_uri; content:"/_vti_bin/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:18; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|",depth 2; content:"admin.dll",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:11; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|",nocase; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; http_uri; content:"/graphics/sml3com"; metadata:ruleset community; service:http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L",nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.php file upload attempt"; flow:to_server,established; http_uri; content:"/admin.php",fast_pattern,nocase; content:"file_name="; metadata:ruleset community; service:http; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.php access"; flow:to_server,established; http_uri; content:"/admin.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP console.exe access"; flow:to_server,established; http_uri; content:"/cgi-bin/console.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cs.exe access"; flow:to_server,established; http_uri; content:"/cgi-bin/cs.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP txt2html.cgi access"; flow:to_server,established; http_uri; content:"/txt2html.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1304; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/txt2html.cgi",fast_pattern,nocase; http_raw_uri; content:"/../../../../"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1305; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; http_uri; content:"/store.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; http_uri; content:"/sendmessage.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; http_uri; content:"/zsh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 ( msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS ( msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|",depth 7; content:"|FF FF FF FF 00 00|",depth 14,offset 8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; http_uri; content:".htgroup",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-activity; sid:1374; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0",depth 15; metadata:ruleset community; service:http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; http_uri; content:"/?.jsp"; metadata:ruleset community; service:http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"[",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:24; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:24; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT",nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/im"; metadata:ruleset community; service:ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; http_uri; content:"/Form_VBScript.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; http_uri; content:"/officescan/cgi/jdkRqNotify.exe?",nocase; content:"domain=",nocase; content:"event=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13; )
alert tcp any any -> any 6666:7000 ( msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG",fast_pattern,nocase; content:"nickserv",nocase; content:"IDENTIFY",nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/ims"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * ",fast_pattern,nocase; content:"LOCATION|3A|",nocase; detection_filter:track by_dst,count 10,seconds 1; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; http_uri; content:"/admin_/"; metadata:ruleset community; service:http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location",fast_pattern,nocase; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:23; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop,ruleset community; classtype:shellcode-detect; sid:1390; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; http_uri; content:"/lastlines.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zml.cgi attempt"; flow:to_server,established; http_uri; content:"/zml.cgi"; pkt_data; content:"file=../"; metadata:ruleset community; service:http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1395; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP zml.cgi access"; flow:to_server,established; http_uri; content:"/zml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1396; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wayboard attempt"; flow:to_server,established; http_uri; content:"/way-board/way-board.cgi"; content:"db="; http_raw_uri; content:"../.."; metadata:ruleset community; service:http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 ( msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1",depth 1,offset 10; content:!"000",depth 3,offset 11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; http_uri; content:"/index.php",fast_pattern,nocase; content:"file="; pcre:"/file=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; http_uri; content:"/scripts/samples/",nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; http_uri; content:"/msadc/samples/",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iissamples access"; flow:to_server,established; http_uri; content:"/iissamples/",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; http_uri; content:"/publisher/search.cgi",fast_pattern,nocase; content:"template=",nocase; metadata:ruleset community; service:http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; http_uri; content:"/store/agora.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; http_uri; content:"/smssend.php"; metadata:ruleset community; service:http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 ( msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; isdataat:1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 ( msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|",offset 4; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; http_uri; content:"/dcboard.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; reference:cve,2022-20918; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmcsfr-snmp-access-6gqgtJ4S; classtype:attempted-recon; gid:1; sid:1411; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"|04 06|public"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; gid:1; sid:1412; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:20; )
alert udp any any -> 255.255.255.255 161 ( msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:18; )
alert udp any any -> 255.255.255.255 162 ( msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:19; )
alert udp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 705 ( msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:19; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 ( msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|",depth 5,offset 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; http_header; content:"Content-Disposition|3A|",nocase; pkt_data; content:"name=|22 CC CC CC CC CC|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; http_header; content:"Content-Disposition|3A|",nocase; pkt_data; content:"form-data|3B|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 162 ( msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:13; )
alert tcp $HOME_NET any -> 64.245.58.0/23 any ( msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|",depth 5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA",depth 8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .history access"; flow:to_server,established; http_uri; content:"/.history"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1433; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; http_uri; content:"/.bash_history"; metadata:ruleset community; service:http; reference:bugtraq,337; reference:cve,1999-0408; reference:url,attack.mitre.org/techniques/T1139; classtype:web-application-attack; sid:1434; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:16; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1436; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/ims"; metadata:ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:1437; rev:27; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; http_header; content:"Content-type|3A|",nocase; content:"audio/x-scpls",within 50,fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1439; rev:17; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; http_header; content:"Content-type|3A|",nocase; content:"audio/x-mpegurl",within 50,fast_pattern,nocase; metadata:ruleset community; service:http; classtype:policy-violation; sid:1440; rev:17; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|",depth 2; content:"nc.exe",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:successful-admin; sid:1441; rev:11; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|",depth 2; content:"shadow",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:successful-admin; sid:1442; rev:11; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|",depth 2; content:"passwd",offset 2,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2021-1437; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aironet-info-disc-BfWqghj; classtype:successful-admin; sid:1443; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|",depth 2; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:1444; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR",nocase; content:"file_id.diz",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:1445; rev:9; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy",nocase; content:"root",distance 1,nocase; pcre:"/^vrfy\s+root/ims"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; classtype:attempted-recon; sid:1446; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|",depth 11; metadata:ruleset community; service:rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|",depth 3; content:"|E0 00 00 00 00 00|",depth 6,offset 5; metadata:ruleset community; service:rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn",fast_pattern,nocase; content:"*@"; pcre:"/^expn\s+\*@/ims"; metadata:ruleset community; service:smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP NPH-maillist access"; flow:to_server,established; http_uri; content:"/nph-maillist.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP args.cmd access"; flow:to_server,established; http_uri; content:"/args.cmd",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AT-generated.cgi access"; flow:to_server,established; http_uri; content:"/AT-generated.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwwais access"; flow:to_server,established; http_uri; content:"/wwwwais",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar.pl access"; flow:to_server,established; http_uri; content:"calendar",nocase; pcre:"/calendar(|[-_]admin)\.pl/i"; metadata:ruleset community; service:http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calender_admin.pl access"; flow:to_server,established; http_uri; content:"/calender_admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP user_update_admin.pl access"; flow:to_server,established; http_uri; content:"/user_update_admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP user_update_passwd.pl access"; flow:to_server,established; http_uri; content:"/user_update_passwd.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-histlog.sh access"; flow:to_server,established; http_uri; content:"/bb-histlog.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; http_uri; content:"/bb-histsvc.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; http_uri; content:"/bb-rep.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; http_uri; content:"/bb-replog.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17; )
alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC message"; flow:established; isdataat:!139; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:16; )
alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; http_uri; content:"/auktion.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; http_uri; content:"/cgiforum.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP directorypro.cgi access"; flow:to_server,established; http_uri; content:"/directorypro.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-activity; sid:1467; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established; http_uri; content:"/shopper.cgi",fast_pattern,nocase; pkt_data; content:"newpage=../",nocase; metadata:ruleset community; service:http; reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Web Shopper shopper.cgi access"; flow:to_server,established; http_uri; content:"/shopper.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP listrec.pl access"; flow:to_server,established; http_uri; content:"/listrec.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailnews.cgi access"; flow:to_server,established; http_uri; content:"/mailnews.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP book.cgi access"; flow:to_server,established; http_uri; content:"/book.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP newsdesk.cgi access"; flow:to_server,established; http_uri; content:"/newsdesk.cgi",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; http_uri; content:"/cal_make.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; http_uri; content:"/mailit.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; http_uri; content:"/sdbsearch.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; http_uri; content:"/swc",nocase; content:"ctr=",distance 0,nocase; http_raw_uri; bufferlen:>500; metadata:ruleset community; service:http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user; sid:1478; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi",nocase; content:"pg=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; http_uri; content:"/ttawebtop.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; http_uri; content:"/upload.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; http_uri; content:"/view_source",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; http_uri; content:"/ustorekeeper.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; http_uri; content:"/mkilog.exe",nocase; metadata:ruleset community; service:http; reference:nessus,10359; classtype:web-application-activity; sid:1485; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; http_uri; content:"/ctss.idc",nocase; metadata:ruleset community; service:http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/aexp2.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/store.cgi",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; http_uri; content:"/~nobody"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; http_uri; content:"/support/common.php"; pkt_data; content:"ForumLang=../"; metadata:ruleset community; service:http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; http_uri; content:"/support/common.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP RBS ISP /newuser  directory traversal attempt"; flow:to_server,established; http_uri; content:"/newuser?Image=../.."; metadata:ruleset community; service:http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP RBS ISP /newuser access"; flow:to_server,established; http_uri; content:"/newuser"; metadata:ruleset community; service:http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; http_uri; content:"/generate.cgi"; pkt_data; content:"content=../"; metadata:ruleset community; service:http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; http_uri; content:"/generate.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; http_uri; content:"/spin_client.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 ( msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community; service:http; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; http_uri; content:"/exair/search/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/a1disp3.cgi?",fast_pattern,nocase; http_raw_uri; content:"/../../"; metadata:ruleset community; service:http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; http_uri; content:"/a1disp3.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; http_uri; content:"/admentor/admin/admin.asp"; metadata:ruleset community; service:http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/PRN/",fast_pattern; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/NUL/",fast_pattern; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/alibaba.pl|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alibaba.pl access"; flow:to_server,established; http_uri; content:"/alibaba.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; http_uri; content:"/query?mss=..",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/test.bat|7C|"; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.bat access"; flow:to_server,established; http_uri; content:"/test.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/input.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input.bat access"; flow:to_server,established; http_uri; content:"/input.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input2.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/input2.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; http_uri; content:"/input2.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/envout.bat|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; http_uri; content:"/envout.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 ( msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community; service:http; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; http_uri; content:"/?M=D"; metadata:ruleset community; service:http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; http_uri; content:"/server-info",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; http_uri; content:"/server-status"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; http_uri; content:"/ans.pl?",nocase; content:"p=../../",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; http_uri; content:"/ans.pl"; metadata:ruleset community; service:http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community; service:http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Axis Storpoint CD access"; flow:to_server,established; http_uri; content:"/config/html/cnf_gi.htm"; metadata:ruleset community; service:http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP basilix sendmail.inc access"; flow:to_server,established; http_uri; content:"/inc/sendmail.inc"; metadata:ruleset community; service:http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP basilix mysql.class access"; flow:to_server,established; http_uri; content:"/class/mysql.class"; metadata:ruleset community; service:http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BBoard access"; flow:to_server,established; http_uri; content:"/servlet/sunexamples.BBoardServlet"; metadata:ruleset community; service:http; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE",nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hist.sh attempt"; flow:to_server,established; http_uri; content:"/bb-hist.sh?",nocase; content:"HISTFILE=../..",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hostscv.sh attempt"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh?",fast_pattern,nocase; content:"HOSTSVC",nocase; http_raw_uri; content:"../..",distance 0; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hostscv.sh access"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP agora.cgi attempt"; flow:to_server,established; http_uri; content:"/store/agora.cgi?",nocase; content:"cart_id=<SCRIPT>",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bizdbsearch access"; flow:to_server,established; http_uri; content:"/bizdb1-search.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/calendar_admin.pl?",nocase; content:"config=|7C|",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-attack; sid:1536; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar_admin.pl access"; flow:to_server,established; http_uri; content:"/calendar_admin.pl"; metadata:ruleset community; service:http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1537; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO",nocase; content:"USER",distance 0,nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/ims"; metadata:ruleset community; reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388; classtype:attempted-admin; sid:1538; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-bin/ls access"; flow:to_server,established; http_uri; content:"/cgi-bin/ls",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; http_uri; content:"Mode=debug",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgimail access"; flow:to_server,established; http_uri; content:"/cgimail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiwrap access"; flow:to_server,established; http_uri; content:"/cgiwrap",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco Catalyst command execution attempt"; flow:to_server,established; http_uri; content:"/exec/show/config/cr",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; isdataat:0; isdataat:!1; content:"|13|"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1545; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco HTTP double-percent DOS attempt"; flow:to_server,established; http_uri; content:"/%%",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1154; reference:cve,2000-0380; reference:nessus,10387; classtype:web-application-attack; sid:1546; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/csSearch.cgi"; pkt_data; content:"setup="; content:"`"; content:"`",distance 1; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csSearch.cgi access"; flow:to_server,established; http_uri; content:"/csSearch.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL HELO overflow attempt"; flow:to_server,established; content:"HELO",nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:27; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL ETRN overflow attempt"; flow:to_server,established; content:"ETRN",nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /CVS/Entries access"; flow:to_server,established; http_uri; content:"/CVS/Entries",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvsweb version access"; flow:to_server,established; http_uri; content:"/cvsweb/version"; metadata:ruleset community; service:http; reference:cve,2000-0670; reference:nessus,10465; classtype:web-application-activity; sid:1552; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dbman db.cgi access"; flow:to_server,established; http_uri; content:"/dbman/db.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DCShop access"; flow:to_server,established; http_uri; content:"/dcshop",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DCShop orders.txt access"; flow:to_server,established; http_uri; content:"/orders/orders.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DCShop auth_user_file.txt access"; flow:to_server,established; http_uri; content:"/auth_data/auth_user_file.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//",nocase; metadata:ruleset community; service:http; reference:cve,2000-0165; reference:nessus,10054; classtype:web-application-activity; sid:1558; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /doc/packages access"; flow:to_server,established; http_uri; content:"/doc/packages",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /doc/ access"; flow:to_server,established; http_uri; content:"/doc/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE",nocase; content:"CHOWN",distance 0,nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579; classtype:attempted-admin; sid:1562; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP login.htm attempt"; flow:to_server,established; http_uri; content:"/login.htm?",nocase; content:"password=",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP login.htm access"; flow:to_server,established; http_uri; content:"/login.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eshop.pl arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/eshop.pl?",nocase; content:"seite=|3B|",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eshop.pl access"; flow:to_server,established; http_uri; content:"/eshop.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /exchange/root.asp attempt"; flow:to_server,established; http_uri; content:"/exchange/root.asp?",nocase; content:"acs=anon",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-047; classtype:web-application-attack; sid:1567; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /exchange/root.asp access"; flow:to_server,established; http_uri; content:"/exchange/root.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP loadpage.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/loadpage.cgi"; pkt_data; content:"file=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-attack; sid:1569; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP loadpage.cgi access"; flow:to_server,established; http_uri; content:"/loadpage.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-activity; sid:1570; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcforum.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/dcforum.cgi"; pkt_data; content:"forum=../.."; metadata:ruleset community; service:http; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; reference:nessus,10583; classtype:web-application-attack; sid:1571; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP commerce.cgi arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/commerce.cgi"; content:"page="; http_raw_uri; content:"/../"; metadata:ruleset community; service:http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiforum.pl attempt"; flow:to_server,established; http_uri; content:"/cgiforum.pl?",nocase; content:"thesection=../..",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP directorypro.cgi attempt"; flow:to_server,established; http_uri; content:"/directorypro.cgi"; pkt_data; content:"show="; content:"../..",distance 1; metadata:ruleset community; service:http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-attack; sid:1574; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino mab.nsf access"; flow:to_server,established; http_uri; content:"/mab.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4022; reference:cve,2001-1567; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino cersvr.nsf access"; flow:to_server,established; http_uri; content:"/cersvr.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino setup.nsf access"; flow:to_server,established; http_uri; content:"/setup.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino statrep.nsf access"; flow:to_server,established; http_uri; content:"/statrep.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino webadmin.nsf access"; flow:to_server,established; http_uri; content:"/webadmin.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9900; reference:bugtraq,9901; reference:cve,2004-2310; reference:cve,2004-2311; reference:cve,2004-2369; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino events4.nsf access"; flow:to_server,established; http_uri; content:"/events4.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino ntsync4.nsf access"; flow:to_server,established; http_uri; content:"/ntsync4.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino collect4.nsf access"; flow:to_server,established; http_uri; content:"/collect4.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino mailw46.nsf access"; flow:to_server,established; http_uri; content:"/mailw46.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino bookmark.nsf access"; flow:to_server,established; http_uri; content:"/bookmark.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino agentrunner.nsf access"; flow:to_server,established; http_uri; content:"/agentrunner.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino mail.box access"; flow:to_server,established; http_uri; content:"/mail.box",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,881; reference:cve,2000-0021; reference:cve,2000-0022; reference:cve,2000-0023; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgitest.exe access"; flow:to_server,established; http_uri; content:"/cgitest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SalesLogix Eviewer access"; flow:to_server,established; http_uri; content:"/slxweb.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP musicat empower attempt"; flow:to_server,established; http_uri; content:"/empower?DB=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; http_uri; content:"/faqmanager.cgi?",nocase; content:"toc=",distance 0,nocase; content:"|00|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP faqmanager.cgi access"; flow:to_server,established; http_uri; content:"/faqmanager.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /fcgi-bin/echo.exe access"; flow:to_server,established; http_uri; content:"/fcgi-bin/echo.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FormHandler.cgi external site redirection attempt"; flow:to_server,established; http_uri; content:"/FormHandler.cgi",fast_pattern,nocase; pkt_data; content:"redirect=http"; metadata:ruleset community; service:http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FormHandler.cgi access"; flow:to_server,established; http_uri; content:"/FormHandler.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS htimage.exe access"; flow:to_server,established; http_uri; content:"/htimage.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP guestbook.cgi access"; flow:to_server,established; http_uri; content:"/guestbook.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Home Free search.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/search.cgi"; pkt_data; content:"letter=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,921; reference:cve,2000-0054; reference:nessus,10101; classtype:web-application-attack; sid:1598; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP search.cgi access"; flow:to_server,established; http_uri; content:"/search.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htsearch arbitrary configuration file attempt"; flow:to_server,established; http_uri; content:"/htsearch?-c",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3410; reference:cve,2001-0834; classtype:web-application-attack; sid:1600; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htsearch arbitrary file read attempt"; flow:to_server,established; http_uri; content:"/htsearch?exclude=`",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htsearch access"; flow:to_server,established; http_uri; content:"/htsearch",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DELETE attempt"; flow:to_server,established; content:"DELETE ",depth 7,nocase; metadata:ruleset community; service:http; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 ( msg:"SERVER-WEBAPP iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset community; service:http; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 ( msg:"SERVER-OTHER iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP icat access"; flow:to_server,established; http_uri; content:"/icat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP HyperSeek hsx.cgi access"; flow:to_server,established; http_uri; content:"/hsx.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htmlscript attempt"; flow:to_server,established; http_uri; content:"/htmlscript?../..",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP formmail arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/formmail",fast_pattern,nocase; pkt_data; content:"%0a",nocase; metadata:ruleset community; service:http; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eXtropia webstore access"; flow:to_server,established; http_uri; content:"/web_store.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ftp.pl attempt"; flow:to_server,established; http_uri; content:"/ftp.pl?",nocase; content:"dir=../..",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP handler attempt"; flow:to_server,established; http_uri; content:"/handler"; content:"|7C|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe attempt"; flow:to_server,established; http_uri; content:"/GWWEB.EXE?",nocase; content:"HELP=",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htgrep attempt"; flow:to_server,established; http_uri; content:"/htgrep"; pkt_data; content:"hdr=/"; metadata:ruleset community; service:http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-attack; sid:1615; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Bugzilla doeditvotes.cgi access"; flow:to_server,established; http_uri; content:"/doeditvotes.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; http_uri; content:".asp",nocase; http_header; content:"Transfer-Encoding|3A|",nocase; content:"chunked",nocase; metadata:ruleset community; service:http; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:26; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CMD overflow attempt"; flow:to_server,established; content:"CMD",nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; classtype:attempted-admin; sid:1621; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR ",fast_pattern,nocase; content:" ././"; metadata:ruleset community; service:ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP invalid MODE"; flow:to_server,established; content:"MODE",fast_pattern,nocase; pcre:"/^MODE\s+[^ABSC]{1}/ims"; metadata:ruleset community; service:ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1623; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PWD overflow attempt"; flow:to_server,established; content:"PWD",nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/ims"; metadata:ruleset community; service:ftp; classtype:protocol-command-decode; sid:1624; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SYST overflow attempt"; flow:to_server,established; content:"SYST",nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1625; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; http_uri; content:"/StoreCSVS/InstantOrder.asmx",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1626; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FormHandler.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/FormHandler.cgi",nocase; pkt_data; content:"reply_message_attach=",fast_pattern,nocase; content:"/../"; metadata:ruleset community; service:http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP PASS overflow attempt"; flow:to_server,established; content:"PASS",nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:pop3; reference:bugtraq,21645; reference:bugtraq,791; reference:cve,1999-1511; reference:cve,2006-6605; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:25; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP APOP overflow attempt"; flow:to_server,established; content:"APOP",nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 ( msg:"SERVER-OTHER Xtramail Username overflow attempt"; flow:to_server,established; content:"Username|3A|",nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/ims"; metadata:ruleset community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP yabb access"; flow:to_server,established; http_uri; content:"/YaBB",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:1637; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper",fast_pattern,nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG ",nocase; content:" |3A|.DCC SEND",distance 0,fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:1639; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG ",nocase; content:" |3A|.DCC CHAT chat",distance 0,fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:1640; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 ( msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; isdataat:0; isdataat:!1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP document.d2w access"; flow:to_server,established; http_uri; content:"/document.d2w",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP db2www access"; flow:to_server,established; http_uri; content:"/db2www",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test-cgi attempt"; flow:to_server,established; http_uri; content:"/test-cgi/*?*",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP testcgi access"; flow:to_server,established; http_uri; content:"/testcgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7214; reference:cve,2003-1531; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.cgi access"; flow:to_server,established; http_uri; content:"/test.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1646; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perl.exe command attempt"; flow:to_server,established; http_uri; content:"/perl.exe?",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perl command attempt"; flow:to_server,established; http_uri; content:"/perl?",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tst.bat access"; flow:to_server,established; http_uri; content:"/tst.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP environ.pl access"; flow:to_server,established; http_uri; content:"/environ.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1651; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP campas attempt"; flow:to_server,established; http_uri; content:"/campas?|0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cart32.exe access"; flow:to_server,established; http_uri; content:"/cart32.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1153; reference:nessus,10389; classtype:web-application-activity; sid:1654; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/pfdispaly.cgi?",nocase; content:"'",distance 0,nocase; metadata:ruleset community; service:http; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pfdispaly.cgi access"; flow:to_server,established; http_uri; content:"/pfdispaly.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pagelog.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/pagelog.cgi",nocase; pkt_data; content:"name=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pagelog.cgi access"; flow:to_server,established; http_uri; content:"/pagelog.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; http_uri; content:"/sendmail.cfm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS trace.axd access"; flow:to_server,established; http_uri; content:"/trace.axd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; http_uri; content:"cmd32.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1661; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /~ftp access"; flow:to_server,established; http_uri; content:"/~ftp",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1662; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP *%20.pl access"; flow:to_server,established; http_uri; content:" .pl",fast_pattern,nocase; pcre:"/\/[^\r\n]*\x20.pl/i"; metadata:ruleset community; service:http; reference:nessus,11007; reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mkplog.exe access"; flow:to_server,established; http_uri; content:"/mkplog.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1664; rev:13; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE index of /cgi-bin/ response"; flow:to_client,established; file_data; content:"Index of /cgi-bin/",nocase; metadata:ruleset community; service:http; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; http_uri; content:"img src=javascript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-bin/ access"; flow:to_server,established; http_uri; content:"/cgi-bin/"; pkt_data; content:"/cgi-bin/ HTTP",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1668; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-dos/ access"; flow:to_server,established; http_uri; content:"/cgi-dos/"; pkt_data; content:"/cgi-dos/ HTTP",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1669; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /home/ftp access"; flow:to_server,established; http_uri; content:"/home/ftp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /home/www access"; flow:to_server,established; http_uri; content:"/home/www",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ~ attempt"; flow:to_server,established; content:"CWD",fast_pattern,nocase; pcre:"/^CWD\s+~/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:22; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM",nocase; metadata:ruleset community; classtype:system-call-detect; sid:1673; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1674; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE misparsed login response"; flow:to_client,established; content:"description=|28|",nocase; content:!"connect_data=|28|sid=",nocase; content:!"address=|28|protocol=tcp",nocase; metadata:ruleset community; classtype:suspicious-login; sid:1675; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE select union attempt"; flow:to_server,established; content:"select ",nocase; content:" union ",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1676; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE select like '%' attempt"; flow:to_server,established; content:" where ",nocase; content:" like '%'",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1677; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where ",nocase; content:" like |22|%|22|",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1678; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE describe attempt"; flow:to_server,established; content:"describe ",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1679; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1680; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_views access"; flow:to_server,established; content:"all_views",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1681; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_source access"; flow:to_server,established; content:"all_source",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1682; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_tables access"; flow:to_server,established; content:"all_tables",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1683; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1684; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1685; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1686; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1687; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1688; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1689; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE grant attempt"; flow:to_server,established; content:"grant ",nocase; content:" to ",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1690; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user",nocase; content:" identified by ",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1691; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE drop table attempt"; flow:to_server,established; content:"drop table",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1692; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE create table attempt"; flow:to_server,established; content:"create table",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1693; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE alter table attempt"; flow:to_server,established; content:"alter table",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1694; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1695; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE create database attempt"; flow:to_server,established; content:"create database",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1696; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE alter database attempt"; flow:to_server,established; content:"alter database",nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1697; rev:7; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP imagemap.exe access"; flow:to_server,established; http_uri; content:"/imagemap.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar-admin.pl access"; flow:to_server,established; http_uri; content:"/calendar-admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1701; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Amaya templates sendtemp.pl access"; flow:to_server,established; http_uri; content:"/sendtemp.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP auktion.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/auktion.cgi",fast_pattern,nocase; pkt_data; content:"menue=../../",nocase; metadata:ruleset community; service:http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cal_make.pl directory traversal attempt"; flow:to_server,established; http_uri; content:"/cal_make.pl",nocase; pkt_data; content:"p0=../../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP echo.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/echo.bat"; pkt_data; content:"&"; metadata:ruleset community; service:http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP echo.bat access"; flow:to_server,established; http_uri; content:"/echo.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP hello.bat arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/hello.bat"; pkt_data; content:"&"; metadata:ruleset community; service:http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP hello.bat access"; flow:to_server,established; http_uri; content:"/hello.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ad.cgi access"; flow:to_server,established; http_uri; content:"/ad.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bbs_forum.cgi access"; flow:to_server,established; http_uri; content:"/bbs_forum.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bsguest.cgi access"; flow:to_server,established; http_uri; content:"/bsguest.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bslist.cgi access"; flow:to_server,established; http_uri; content:"/bslist.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgforum.cgi access"; flow:to_server,established; http_uri; content:"/cgforum.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP newdesk access"; flow:to_server,established; http_uri; content:"/newdesk",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1714; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP register.cgi access"; flow:to_server,established; http_uri; content:"/register.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP gbook.cgi access"; flow:to_server,established; http_uri; content:"/gbook.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP simplestguest.cgi access"; flow:to_server,established; http_uri; content:"/simplestguest.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP statsconfig.pl access"; flow:to_server,established; http_uri; content:"/statsconfig.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP talkback.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/talkbalk.cgi",nocase; pkt_data; content:"article=../../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP talkback.cgi access"; flow:to_server,established; http_uri; content:"/talkbalk.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP adcycle access"; flow:to_server,established; http_uri; content:"/adcycle",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP MachineInfo access"; flow:to_server,established; http_uri; content:"/MachineInfo",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP emumail.cgi NULL attempt"; flow:to_server,established; http_uri; content:"/emumail.cgi"; pkt_data; content:"type=",nocase; content:"%00"; metadata:ruleset community; service:http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP emumail.cgi access"; flow:to_server,established; http_uri; content:"/emumail.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS +.htr code fragment attempt"; flow:to_server,established; http_uri; content:" .htr",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-attack; sid:1725; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS doctodep.btr access"; flow:to_server,established; http_uri; content:"doctodep.btr"; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1726; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SGI InfoSearch fname access"; flow:to_server,established; http_uri; content:"/infosrch.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:20; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; isdataat:!139; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ustorekeeper.pl directory traversal attempt"; flow:to_server,established; http_uri; content:"/ustorekeeper.pl",nocase; pkt_data; content:"file=../../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP a1stats access"; flow:to_server,established; http_uri; content:"/a1stats/"; metadata:ruleset community; service:http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER",nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin; sid:1734; rev:50; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read attempt"; flow:to_client,established; file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//",nocase; metadata:ruleset community; service:http; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; http_uri; content:"/squirrelspell/modules/check_me.mod.php",fast_pattern,nocase; pkt_data; content:"SQSPELL_APP[",nocase; metadata:ruleset community; service:http; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP squirrel mail theme arbitrary command attempt"; flow:to_server,established; http_uri; content:"/left_main.php",nocase; content:"cmdd=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP global.inc access"; flow:to_server,established; http_uri; content:"/global.inc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DNSTools administrator authentication bypass attempt"; flow:to_server,established; http_uri; content:"/dnstools.php",nocase; content:"user_logged_in=true",nocase; content:"user_dnstools_administrator=true",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DNSTools authentication bypass attempt"; flow:to_server,established; http_uri; content:"/dnstools.php",fast_pattern,nocase; content:"user_logged_in=true"; metadata:ruleset community; service:http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DNSTools access"; flow:to_server,established; http_uri; content:"/dnstools.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; http_uri; content:"/dostuff.php?",nocase; content:"action=modify_user",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established; http_uri; content:"/dostuff.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok",nocase; metadata:ruleset community; service:http; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Messagerie supp_membre.php access"; flow:to_server,established; http_uri; content:"/supp_membre.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1747; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS users.xml access"; flow:to_server,established; http_uri; content:"/users.xml",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1750; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 ( msg:"SERVER-OTHER cachefsd buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS as_web.exe access"; flow:to_server,established; http_uri; content:"/as_web.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1753; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS as_web4.exe access"; flow:to_server,established; http_uri; content:"/as_web4.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1754; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL",nocase; content:"BODY[",distance 0,nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:1755; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; metadata:ruleset community; service:http; reference:bugtraq,4672; reference:cve,2002-1734; classtype:web-application-activity; sid:1756; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP b2 arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/b2/b2-include/"; pkt_data; content:"b2inc"; content:"http|3A|//"; metadata:ruleset community; service:http; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:14; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 ( msg:"SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phf arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/phf?Q",fast_pattern,nocase; http_raw_uri; content:"%0a",nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:27; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; http_uri; content:"/cgiproc?Nocfile=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; http_uri; content:"/cgiproc?|24|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Nortel Contivity cgiproc access"; flow:to_server,established; http_uri; content:"/cgiproc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP search.dll directory listing attempt"; flow:to_server,established; http_uri; content:"/search.dll"; pkt_data; content:"query=%00"; metadata:ruleset community; service:http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP search.dll access"; flow:to_server,established; http_uri; content:"/search.dll"; metadata:ruleset community; service:http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .DS_Store access"; flow:to_server,established; http_uri; content:"/.DS_Store"; metadata:ruleset community; service:http; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .FBCIndex access"; flow:to_server,established; http_uri; content:"/.FBCIndex"; metadata:ruleset community; service:http; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|",fast_pattern,nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1771; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS pbserver access"; flow:to_server,established; http_uri; content:"/pbserver/pbserver.dll",nocase; metadata:ruleset community; service:http; reference:cve,2000-1089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094; classtype:web-application-activity; sid:1772; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP php.exe access"; flow:to_server,established; http_uri; content:"/php.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb_smilies.php access"; flow:to_server,established; http_uri; content:"/bb_smilies.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:15; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|",fast_pattern,nocase; metadata:ruleset community; service:mysql; classtype:protocol-command-decode; sid:1775; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases",fast_pattern,nocase; metadata:ruleset community; service:mysql; classtype:protocol-command-decode; sid:1776; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt"; flow:to_server,established; content:"STAT",fast_pattern,nocase; pcre:"/^STAT\s+[^\n]*\x2a/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT",fast_pattern,nocase; pcre:"/^STAT\s+[^\n]*\x3f/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1778; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csPassword.cgi access"; flow:to_server,established; http_uri; content:"/csPassword.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csPassword password.cgi.tmp access"; flow:to_server,established; http_uri; content:"/password.cgi.tmp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC dns request"; flow:to_server,established; content:"USERHOST "; metadata:ruleset community; classtype:policy-violation; sid:1789; rev:12; )
alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any ( msg:"POLICY-SOCIAL IRC dns response"; flow:to_client,established; content:"|3A|"; content:" 302 "; content:"=+",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:1790; rev:11; )
alert tcp $EXTERNAL_NET 119 -> $HOME_NET any ( msg:"PROTOCOL-NNTP return code buffer overflow attempt"; flow:to_client,established; content:"200"; isdataat:256,relative; pcre:"/^200\s[^\n]{256}/ims"; metadata:ruleset community; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/",nocase; http_uri; content:".asa",fast_pattern,nocase; pkt_data; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community; service:http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1802; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/",nocase; http_uri; content:".cer",fast_pattern,nocase; pkt_data; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community; service:http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1803; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/",nocase; http_uri; content:".cdx",fast_pattern,nocase; pkt_data; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community; service:http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1804; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Reports CGI access"; flow:to_server,established; http_uri; content:"/rwcgi60",fast_pattern,nocase; pkt_data; content:"setauth="; metadata:ruleset community; service:http; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; http_uri; content:".htr",nocase; http_header; content:"Transfer-Encoding|3A|",nocase; content:"chunked",nocase; metadata:ruleset community; service:http; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; reference:nessus,11028; classtype:web-application-attack; sid:1806; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"POLICY-OTHER Chunked-Encoding transfer with no data attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|",nocase; isdataat:!0,relative; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0386; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Apache chunked-encoding memory corruption exploit attempt"; flow:to_server,established; http_header; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache chunked-encoding worm attempt"; flow:to_server,established; http_header; content:"X-CCCCCCC|3A 20|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:1809; rev:20; )
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any ( msg:"SERVER-OTHER successful gobbles ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19; )
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any ( msg:"SERVER-OTHER successful gobbles ssh exploit uname"; flow:to_client,established; content:"uname"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg:"SERVER-OTHER gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1812; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com",depth 22; metadata:ruleset community; classtype:misc-activity; sid:1813; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CISCO VoIP DOS ATTEMPT"; flow:to_server,established; http_uri; content:"/StreamingStatistics"; metadata:ruleset community; service:http; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP directory.php arbitrary command attempt"; flow:to_server,established; http_uri; content:"/directory.php"; pkt_data; content:"dir="; content:"|3B|"; metadata:ruleset community; service:http; reference:bugtraq,4278; reference:cve,2002-0434; reference:nessus,11017; classtype:misc-attack; sid:1815; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP directory.php access"; flow:to_server,established; http_uri; content:"/directory.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MS Site Server default login attempt"; flow:to_server,established; http_uri; content:"/SiteServer/Admin/knowledge/persmbr/",nocase; pkt_data; pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/ims"; metadata:ruleset community; service:http; reference:nessus,11018; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-attack; sid:1817; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MS Site Server admin attempt"; flow:to_server,established; http_uri; content:"/Site Server/Admin/knowledge/persmbr/",nocase; metadata:ruleset community; service:http; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 ( msg:"SERVER-OTHER Alcatel PABX 4400 connection attempt"; flow:to_server,established; content:"|00 01|C",depth 3; metadata:ruleset community; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP IBM Net.Commerce orderdspc.d2w access"; flow:to_server,established; http_uri; content:"/ncommerce3/ExecMacro/orderdspc.d2w"; metadata:ruleset community; service:http; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"SERVER-OTHER LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; metadata:ruleset community; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienForm alienform.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/alienform.cgi"; pkt_data; content:".|7C|./.|7C|."; metadata:ruleset community; service:http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienForm af.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/af.cgi"; pkt_data; content:".|7C|./.|7C|."; metadata:ruleset community; service:http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienForm alienform.cgi access"; flow:to_server,established; http_uri; content:"/alienform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AlienForm af.cgi access"; flow:to_server,established; http_uri; content:"/af.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WEB-INF access"; flow:to_server,established; http_uri; content:"/WEB-INF",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat servlet mapping cross site scripting attempt"; flow:to_server,established; http_uri; content:"/servlet/"; content:"/org.apache."; metadata:ruleset community; service:http; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP iPlanet Search directory traversal attempt"; flow:to_server,established; http_uri; content:"/search",nocase; content:"NS-query-pat=",fast_pattern,nocase; content:"../"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat TroubleShooter servlet access"; flow:to_server,established; http_uri; content:"/examples/servlet/TroubleShooter"; metadata:ruleset community; service:http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat SnoopServlet servlet access"; flow:to_server,established; http_uri; content:"/examples/servlet/SnoopServlet"; metadata:ruleset community; service:http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP jigsaw dos attempt"; flow:to_server,established; http_uri; content:"/servlet/con"; pcre:"/\x2Fcon\b/i"; metadata:ruleset community; service:http; reference:bugtraq,5258; reference:cve,2002-1052; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:12; )
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"POLICY-SOCIAL ICQ forced user addition"; flow:to_client,established; content:"Content-Type|3A| application/x-icq",fast_pattern,nocase; content:"[ICQ User]"; metadata:ruleset community; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-Wiki cross site scripting attempt"; flow:to_server,established; http_uri; content:"/modules.php?"; content:"name=Wiki",fast_pattern,nocase; content:"<script",nocase; metadata:ruleset community; service:http; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Macromedia SiteSpring cross site scripting attempt"; flow:to_server,established; http_uri; content:"/error/500error.jsp",nocase; content:"et="; content:"<script",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:14; )
alert tcp $EXTERNAL_NET 22 -> $HOME_NET any ( msg:"SERVER-OTHER SSH server banner overflow"; flow:to_client,established; content:"SSH-",nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ims"; metadata:ruleset community; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailman cross site scripting attempt"; flow:to_server,established; http_uri; content:"/mailman/",nocase; content:"?"; content:"info="; content:"<script",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5298; reference:cve,2002-0855; reference:nessus,14984; classtype:web-application-attack; sid:1839; rev:14; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-JAVA Oracle Javascript document.domain attempt"; flow:to_client,established; file_data; content:"document.domain|28|",nocase; metadata:ruleset community; service:http; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:15; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//",fast_pattern,nocase; content:"document.cookie",nocase; metadata:ruleset community; service:http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:1841; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login buffer overflow attempt"; flow:to_server,established; content:"LOGIN",nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795; reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:35; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 ( msg:"MALWARE-BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|",depth 3; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:to_server,established; content:"AUTHENTICATE",nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP list literal overflow attempt"; flow:to_server,established; content:"LIST",fast_pattern,nocase; pcre:"/\sLIST\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:24; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 ( msg:"POLICY-MULTIMEDIA vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:7; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webalizer access"; flow:to_server,established; http_uri; content:"/webalizer/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webcart-lite access"; flow:to_server,established; http_uri; content:"/webcart-lite/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webfind.exe access"; flow:to_server,established; http_uri; content:"/webfind.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP way-board.cgi access"; flow:to_server,established; http_uri; content:"/way-board.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP active.log access"; flow:to_server,established; http_uri; content:"/active.log",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP robots.txt access"; flow:to_server,established; http_uri; content:"/robots.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 35555 ( msg:"MALWARE-BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44",depth 14; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:12; )
alert icmp $EXTERNAL_NET any <> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:13; )
alert icmp $EXTERNAL_NET any <> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:13; )
alert icmp $EXTERNAL_NET any <> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP robot.txt access"; flow:to_server,established; http_uri; content:"/robot.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; http_uri; content:"/pixfir~1/how_to_login.html"; metadata:ruleset community; service:http; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 ( msg:"SERVER-WEBAPP Oracle JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community; service:http; reference:nessus,10995; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1859; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Linksys router default password login attempt"; flow:to_server,established; http_header; content:"Authorization|3A|",nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/ims"; metadata:ruleset community; service:http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1860; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Linksys router default username and password login attempt"; flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/ims"; metadata:ruleset community; service:http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1861; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mrtg.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/mrtg.cgi"; pkt_data; content:"cfg=/../"; metadata:ruleset community; service:http; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE",nocase; content:"NEWER",distance 1,nocase; pcre:"/^SITE\s+NEWER/ims"; metadata:ruleset community; service:ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdist.cgi arbitrary command attempt"; flow:to_server,established; http_uri; content:"/webdist.cgi",nocase; pkt_data; content:"distloc=|3B|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP USER overflow attempt"; flow:to_server,established; content:"USER"; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:pop3; reference:bugtraq,11256; reference:bugtraq,19651; reference:bugtraq,789; reference:cve,1999-0494; reference:cve,2002-1781; reference:cve,2006-2502; reference:cve,2006-4364; reference:cve,2007-4646; reference:nessus,10311; reference:url,www.delegate.org/mail-lists/delegate-en/1475; classtype:attempted-admin; gid:1; sid:1866; rev:26; )
alert udp $EXTERNAL_NET any -> $HOME_NET 177 ( msg:"X11 xdmcp info query"; flow:to_server; content:"|00 01 00 02 00 01 00|",fast_pattern,nocase; metadata:ruleset community; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Interactive Story story.pl arbitrary file read attempt"; flow:to_server,established; http_uri; content:"/story.pl"; pkt_data; content:"next=../"; metadata:ruleset community; service:http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-WEBAPP Interactive Story story.pl access"; flow:to_server,established; http_uri; content:"/story.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP siteUserMod.cgi access"; flow:to_server,established; http_uri; content:"/.cobalt/siteUserMod/siteUserMod.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established; http_uri; content:"/XSQLConfig.xml"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; http_uri; content:"/dms0"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP globals.jsa access"; flow:to_server,established; http_uri; content:"/globals.jsa"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Java Process Manager access"; flow:to_server,established; http_uri; content:"/oprocmgr-status"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgicso access"; flow:to_server,established; http_uri; content:"/cgicso",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6141; reference:cve,2002-1652; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nph-publish.cgi access"; flow:to_server,established; http_uri; content:"/nph-publish.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP printenv access"; flow:to_server,established; http_uri; content:"/printenv",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; http_uri; content:"/sdbsearch.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP book.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/book.cgi",fast_pattern,nocase; pkt_data; content:"current=|7C|",nocase; metadata:ruleset community; service:http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP oracle web application server access"; flow:to_server,established; http_uri; content:"/ows-bin/",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|",depth 18; metadata:ruleset community; service:http; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:13; )
alert ip $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE id check returned userid"; content:"uid=",nocase; content:" gid=",distance 0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/ims"; metadata:policy max-detect-ips drop,ruleset community; classtype:bad-unknown; sid:1882; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg:"SERVER-OTHER OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm",fast_pattern,nocase; metadata:ruleset community; service:ssl; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE CPWD overflow attempt"; flow:to_server,established; content:"SITE",nocase; content:"CPWD",distance 0,nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14; )
alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 ( msg:"MALWARE-CNC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|",depth 10; metadata:ruleset community; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x",within 256; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server,established; content:"|00 01 86 B8|",depth 4,offset 16; content:"|00 00 00 02|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x",within 256; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|",depth 15,offset 5; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP missing community string attempt"; content:"0",depth 1; content:"|02|",within 6; content:"|04 00|",within 8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:policy max-detect-ips drop,ruleset community; service:snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 ( msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:12; )
alert tcp $HOME_NET 749 -> $EXTERNAL_NET any ( msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*",depth 8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:15; )
alert tcp $HOME_NET 751 -> $EXTERNAL_NET any ( msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*",depth 8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB",fast_pattern,nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP rename overflow attempt"; flow:to_server,established; content:"RENAME",nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP find overflow attempt"; flow:to_server,established; content:"FIND",nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|",depth 4,offset 12; content:"|00 00 00 07|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|",depth 4,offset 16; content:"|00 00 00 07|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|",depth 4,offset 12; content:"|00 00 00 15|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|",depth 4,offset 16; content:"|00 00 00 15|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|",depth 4,offset 16; content:"|00 00 00 06|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|",depth 4,offset 12; content:"|00 00 00 06|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|",depth 4,offset 16; content:"|00 00 00 02|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"ssdp|3A|discover",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net",fast_pattern,nocase; metadata:ruleset community; classtype:network-scan; sid:1918; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD overflow attempt"; flow:to_server,established; content:"CWD",nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:31; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE",nocase; content:"NEWER",distance 0,nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE",nocase; content:"ZIPCHK",distance 1,nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1922; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:1924; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 06|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:1925; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 06|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:1926; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP authorized_keys"; flow:to_server,established; content:"authorized_keys",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:1927; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR",nocase; content:"shadow"; pcre:"/^RETR[^\n]*shadow$/ims"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:1928; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:to_server,established; content:"AUTH",fast_pattern,nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rpc-nlog.pl access"; flow:to_server,established; http_uri; content:"/rpc-nlog.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rpc-smb.pl access"; flow:to_server,established; http_uri; content:"/rpc-smb.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cart.cgi access"; flow:to_server,established; http_uri; content:"/cart.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP AUTH overflow attempt"; flow:to_server,established; content:"AUTH",nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP LIST overflow attempt"; flow:to_server,established; content:"LIST",nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP XTND overflow attempt"; flow:to_server,established; content:"XTND",nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:1938; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 67 ( msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|",depth 1; byte_test:1,>,6,2; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 67 ( msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|",depth 1; byte_test:1,>,7,1; metadata:policy max-detect-ips drop,ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:9; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|",depth 2; isdataat:100,relative; content:!"|00|",within 100; metadata:policy max-detect-ips drop,ruleset community; service:tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR",nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /Carello/add.exe access"; flow:to_server,established; http_uri; content:"/Carello/add.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /ecscripts/ecware.exe access"; flow:to_server,established; http_uri; content:"/ecscripts/ecware.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 ( msg:"SERVER-WEBAPP answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; metadata:ruleset community; service:http; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 ( msg:"SERVER-WEBAPP answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|",distance 1; metadata:ruleset community; service:http; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|",depth 8,offset 4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|",fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1949; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:1952; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|",depth 4,offset 16; content:"|00 00 00 09|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|",depth 4,offset 12; content:"|00 00 00 09|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|",depth 4,offset 16; content:"|00 00 00 08|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500: ( msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|",depth 4,offset 12; content:"|00 00 00 08|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|",depth 4,offset 12; content:"|00 00 00 00|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|",depth 4,offset 16; content:"|00 00 00 00|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|",depth 4,offset 12; content:"|00 00 00 07|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|",depth 4,offset 16; content:"|00 00 00 07|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17; )
alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 ( msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpbb quick-reply.php arbitrary command attempt"; flow:to_server,established; http_uri; content:"/quick-reply.php"; pkt_data; content:"phpbb_root_path="; metadata:ruleset community; service:http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-attack; sid:1967; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpbb quick-reply.php access"; flow:to_server,established; http_uri; content:"/quick-reply.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-activity; sid:1968; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ion-p access"; flow:to_server,established; http_uri; content:"/ion-p",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6091; reference:cve,2002-1559; reference:nessus,11729; classtype:web-application-activity; sid:1969; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; http_uri; content:"/msadcs.dll",nocase; pkt_data; content:"Content-Type|3A|",nocase; isdataat:50,relative; content:!"|0A|",within 50; pcre:"/^POST\s/ims"; metadata:ruleset community; service:http; reference:bugtraq,6214; reference:cve,2002-1142; reference:nessus,11161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS98-004; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE",nocase; content:"EXEC",distance 0,nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,1387; reference:bugtraq,1505; reference:cve,2000-0573; classtype:bad-unknown; sid:1971; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PASS overflow attempt"; flow:to_server,established; content:"PASS",nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,15457; reference:bugtraq,1690; reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,45957; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; reference:cve,2005-3683; reference:cve,2006-6576; classtype:attempted-admin; sid:1972; rev:32; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP MKD overflow attempt"; flow:to_server,established; content:"MKD",nocase; isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:1973; rev:31; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP REST overflow attempt"; flow:to_server,established; content:"REST",nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP DELE overflow attempt"; flow:to_server,established; content:"DELE",nocase; isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/im"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,46922; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-4228; reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:27; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RMD overflow attempt"; flow:to_server,established; content:"RMD",nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,39041; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-0625; classtype:attempted-admin; sid:1976; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1977; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1978; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP perl post attempt"; flow:to_server,established; content:"POST",depth 4; http_uri; content:"/perl/"; metadata:ruleset community; service:http; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 2140 ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00",depth 2; metadata:policy max-detect-ips drop,ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 3150 ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server; content:"00",depth 2; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:12; )
alert udp $HOME_NET 3150 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 4120 ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server; content:"00",depth 2; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:11; )
alert udp $HOME_NET 4120 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected.",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer request"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A| application/x-msnmsgrp2p",nocase; content:"INVITE",distance 0,nocase; metadata:ruleset community; classtype:policy-violation; sid:1986; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 ( msg:"SERVER-OTHER xfs overflow attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|",depth 3; metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11; )
alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any ( msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer accept"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A| application/x-msnmsgrp2p",distance 0,nocase; content:"MSNSLP/1.0 200 OK",distance 0,nocase; metadata:ruleset community; classtype:policy-violation; sid:1988; rev:11; )
alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any ( msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer rejected"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A| application/x-msnmsgrp2p",distance 0,nocase; content:"MSNSLP/1.0 603 Decline",distance 0,nocase; metadata:ruleset community; classtype:policy-violation; sid:1989; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN user search"; flow:to_server,established; content:"CAL ",depth 4,nocase; metadata:ruleset community; classtype:policy-violation; sid:1990; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN login attempt"; flow:to_server,established; content:"USR ",depth 4,nocase; content:" TWN ",distance 1,nocase; metadata:ruleset community; classtype:policy-violation; sid:1991; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST",nocase; content:"..",distance 1; content:"..",distance 1; metadata:ruleset community; service:ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login literal buffer overflow attempt"; flow:to_server,established; pcre:"/\sLOGIN\s[^\n]*?\{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]{4})/ims"; content:"LOGIN",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,14718; reference:bugtraq,21724; reference:bugtraq,23810; reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2005-1758; reference:cve,2006-6424; reference:cve,2007-0221; reference:nessus,12532; classtype:misc-attack; sid:1993; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP vpasswd.cgi access"; flow:to_server,established; http_uri; content:"/vpasswd.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alya.cgi access"; flow:to_server,established; http_uri; content:"/alya.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP viralator.cgi access"; flow:to_server,established; http_uri; content:"/viralator.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP read_body.php access attempt"; flow:to_server,established; http_uri; content:"/read_body.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6302; reference:cve,2002-1341; reference:nessus,11415; classtype:web-application-activity; sid:1997; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar.php access"; flow:to_server,established; http_uri; content:"/calendar.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5820; reference:bugtraq,9353; reference:cve,2002-1660; reference:cve,2004-1785; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP edit_image.php access"; flow:to_server,established; http_uri; content:"/edit_image.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP readmsg.php access"; flow:to_server,established; http_uri; content:"/readmsg.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP smartsearch.cgi access"; flow:to_server,established; http_uri; content:"/smartsearch.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP remote include path attempt"; flow:to_server,established; http_uri; content:".php",nocase; content:"path=",fast_pattern,nocase; pcre:"/path=(https?|ftps?|php)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability; reference:url,php.net/manual/en/function.include.php; classtype:web-application-attack; sid:2002; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|",depth 1; content:"|81 F1 03 01 04 9B 81 F1 01|",fast_pattern,nocase; content:"sock"; content:"send"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:16; )
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 ( msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|",depth 1; content:"|81 F1 03 01 04 9B 81 F1|",fast_pattern,nocase; content:"sock"; content:"send"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}",depth 4,offset 16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../",distance 0; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:16; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS invalid user authentication response"; flow:to_client,established; content:"E Fatal error, aborting.",fast_pattern,nocase; content:"|3A| no such user"; metadata:ruleset community; classtype:misc-attack; sid:2008; rev:9; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS invalid repository response"; flow:to_client,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU",fast_pattern,nocase; metadata:ruleset community; classtype:misc-attack; sid:2009; rev:7; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS double free exploit attempt response"; flow:to_client,established; content:"free|28 29 3A| warning|3A| chunk is already free",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2010; rev:12; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS invalid directory response"; flow:to_client,established; content:"E protocol error|3A| invalid directory syntax in",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2011; rev:12; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS missing cvsroot response"; flow:to_client,established; content:"E protocol error|3A| Root request missing",fast_pattern,nocase; metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS invalid module response"; flow:to_client,established; content:"cvs server|3A| cannot find module",fast_pattern,nocase; content:"error"; metadata:ruleset community; classtype:misc-attack; sid:2013; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:2019; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:2020; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:2021; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:2022; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|",depth 4,offset 12; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-recon; sid:2023; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|",depth 4,offset 12; content:"|00 00 00 0B|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|",depth 4,offset 16; content:"|00 00 00 0B|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2038; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 67 ( msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|",depth 1; content:"|0C|",distance 240; content:"%",distance 0; content:"%",within 8,distance 1; content:"%",within 8,distance 1; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 49 ( msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|",depth 2; content:"|00|",distance 4; metadata:ruleset community; classtype:misc-activity; sid:2040; rev:9; )
alert udp $HOME_NET 49 -> $EXTERNAL_NET any ( msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|",depth 2; content:"|02|",distance 4; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:9; )
alert udp $HOME_NET 49 -> $EXTERNAL_NET any ( msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|",depth 2; content:"|01|",distance 4; metadata:ruleset community; classtype:misc-activity; sid:2042; rev:9; )
alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 ( msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|",depth 2,offset 17; content:"|00 00 00 01 01 00 00 18|",within 8,distance 13; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 ( msg:"POLICY-OTHER PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|",depth 2,offset 2; content:"|00 01|",depth 2,offset 8; metadata:ruleset community; classtype:attempted-admin; sid:2044; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|",depth 4,offset 12; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL",nocase; content:"BODY.PEEK[",distance 0,nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 ( msg:"SERVER-OTHER rsyncd module list access"; flow:to_server,established; content:"|23|list",depth 5; metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( msg:"SQL ping attempt"; flow:to_server; content:"|02|",depth 1; metadata:policy max-detect-ips drop,ruleset community; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( msg:"SERVER-MSSQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|",depth 1; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:2050; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart access"; flow:to_server,established; http_uri; content:"/cached_feed.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP overflow.cgi access"; flow:to_server,established; http_uri; content:"/overflow.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Bugtraq process_bug.cgi access"; flow:to_server,established; http_uri; content:"/process_bug.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi arbitrary command attempt"; flow:to_server,established; http_uri; content:"/enter_bug.cgi",fast_pattern,nocase; pkt_data; content:"who="; content:"|3B|",distance 0; metadata:ruleset community; service:http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi access"; flow:to_server,established; http_uri; content:"/enter_bug.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TRACE attempt"; flow:to_server,established; content:"TRACE",depth 5; metadata:ruleset community; service:http; reference:bugtraq,9561; reference:cve,2003-1567; reference:cve,2004-2320; reference:cve,2010-0360; reference:nessus,11213; classtype:web-application-attack; sid:2056; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP helpout.exe access"; flow:to_server,established; http_uri; content:"/helpout.exe"; metadata:ruleset community; service:http; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MsmMask.exe attempt"; flow:to_server,established; http_uri; content:"/MsmMask.exe"; pkt_data; content:"mask="; metadata:ruleset community; service:http; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MsmMask.exe access"; flow:to_server,established; http_uri; content:"/MsmMask.exe"; metadata:ruleset community; service:http; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DB4Web access"; flow:to_server,established; http_uri; content:"/DB4Web/"; metadata:ruleset community; service:http; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat null byte directory listing attempt"; flow:to_server,established; http_uri; content:"|00|.jsp"; metadata:ruleset community; service:http; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; reference:nessus,11438; classtype:web-application-attack; sid:2061; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP iPlanet .perf access"; flow:to_server,established; http_uri; content:"/.perf"; metadata:ruleset community; service:http; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Demarc SQL injection attempt"; flow:to_server,established; http_uri; content:"/dm/demarc"; pkt_data; content:"s_key="; content:"'",distance 0; content:"'",distance 1; content:"'",distance 0; metadata:ruleset community; service:http; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Notes .csp script source download attempt"; flow:to_server,established; http_uri; content:".csp."; metadata:ruleset community; service:http; classtype:web-application-attack; sid:2065; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Notes .pl script source download attempt"; flow:to_server,established; http_uri; content:".pl"; pkt_data; content:".pl"; content:".",within 1; metadata:ruleset community; service:http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2066; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Notes .exe script source download attempt"; flow:to_server,established; http_uri; content:".exe"; pkt_data; content:".exe"; content:".",within 1; metadata:ruleset community; service:http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2067; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP BitKeeper arbitrary command attempt"; flow:to_server,established; http_uri; content:"/diffs/"; pkt_data; content:"'"; content:"|3B|",distance 0; content:"'",distance 1; metadata:ruleset community; service:http; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP chip.ini access"; flow:to_server,established; http_uri; content:"/chip.ini"; metadata:ruleset community; service:http; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP post32.exe arbitrary command attempt"; flow:to_server,established; http_uri; content:"/post32.exe|7C|"; metadata:ruleset community; service:http; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP post32.exe access"; flow:to_server,established; http_uri; content:"/post32.exe"; metadata:ruleset community; service:http; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP lyris.pl access"; flow:to_server,established; http_uri; content:"/lyris.pl"; metadata:ruleset community; service:http; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP globals.pl access"; flow:to_server,established; http_uri; content:"/globals.pl"; metadata:ruleset community; service:http; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; http_uri; content:"/uploadimage.php"; pkt_data; content:"userfile_name="; content:".php",distance 1; metadata:ruleset community; service:http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2074; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Mambo upload.php upload php file attempt"; flow:to_server,established; http_uri; content:"/upload.php"; pkt_data; content:"userfile_name="; content:".php",distance 1; metadata:ruleset community; service:http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2075; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Mambo uploadimage.php access"; flow:to_server,established; http_uri; content:"/uploadimage.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2076; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Mambo upload.php access"; flow:to_server,established; http_uri; content:"/upload.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2077; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpBB privmsg.php access"; flow:to_server,established; http_uri; content:"/privmsg.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6634; reference:cve,2003-1530; classtype:web-application-activity; sid:2078; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h",depth 4,offset 12; content:"|00 00 00 0D|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h",depth 4,offset 16; content:"|00 00 00 0D|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP parse_xml.cgi access"; flow:to_server,established; http_uri; content:"/parse_xml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2085; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2086; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL From comment overflow attempt"; flow:to_server,established; content:"From|3A|",nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>",distance 0; content:"|28|",distance 1; content:"|29|",distance 1; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|",depth 4,offset 12; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|",distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:misc-attack; sid:2088; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|",depth 4,offset 16; content:"|00 00 00 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|",distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,1749; reference:cve,1999-0208; classtype:misc-attack; sid:2089; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV exploit attempt"; flow:to_server,established; http_header; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; metadata:ruleset community; service:http; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|",within 255; metadata:ruleset community; service:http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|",depth 5,offset 12; content:"|00 00 00 05|",within 4,distance 3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|",depth 5,offset 16; content:"|00 00 00 05|",within 4,distance 3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|",depth 4,offset 12; content:"|00 00 00 15|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|",depth 4,offset 16; content:"|00 00 00 15|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response"; flow:to_client,established; content:"connected. time/date|3A| ",depth 22; content:"version|3A| GOLD 2.1",distance 1; metadata:ruleset community; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB%",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/Rs"; content:"|00 00 00 00|",within 4,distance 5; metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:2101; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/Rs"; content:"|00 00|",within 2,distance 29; byte_test:2,>,1024,-12,relative,little; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2003-0201; classtype:protocol-command-decode; sid:2103; rev:17; )
alert tcp $HOME_NET 512 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE rexec username too long response"; flow:to_client,established; content:"username too long",depth 17; metadata:ruleset community; reference:bugtraq,7459; reference:cve,2003-1097; classtype:unsuccessful-user; sid:2104; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP authenticate literal overflow attempt"; flow:to_server,established; content:"AUTHENTICATE",fast_pattern,nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,21724; reference:cve,1999-0042; reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/ims"; metadata:ruleset community; service:imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2107; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP CAPA overflow attempt"; flow:to_server,established; content:"CAPA",nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:2108; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP TOP overflow attempt"; flow:to_server,established; content:"TOP",nocase; isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:2109; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP STAT overflow attempt"; flow:to_server,established; content:"STAT",nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:2110; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP DELE overflow attempt"; flow:to_server,established; content:"DELE",nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:2111; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP RSET overflow attempt"; flow:to_server,established; content:"RSET",nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/ims"; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:2112; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 512 ( msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|",offset 9; content:"|00|",distance 0; content:"|00|",distance 0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 512 ( msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|",distance 33; content:"|00|",distance 0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP album.pl access"; flow:to_server,established; content:"/album.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7444; reference:cve,2003-1456; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP chipcfg.cgi access"; flow:to_server,established; http_uri; content:"/chipcfg.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Battleaxe Forum login.asp access"; flow:to_server,established; http_uri; content:"myaccount/login.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,7416; reference:cve,2003-0215; reference:nessus,11548; classtype:web-application-activity; sid:2117; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP list overflow attempt"; flow:to_server,established; content:"LIST",nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP rename literal overflow attempt"; flow:to_server,established; content:"RENAME",fast_pattern,nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE",fast_pattern,nocase; pcre:"/\sCREATE\s*\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2120; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP DELE negative argument attempt"; flow:to_server,established; content:"DELE",fast_pattern,nocase; pcre:"/^DELE\s+-\d/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP UIDL negative argument attempt"; flow:to_server,established; content:"UIDL",fast_pattern,nocase; pcre:"/^UIDL\s+-\d/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:17; )
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows",depth 18; content:"|28|C|29| Copyright 1985-",distance 0; content:"Microsoft Corp.",distance 0; metadata:policy max-detect-ips drop,ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 ( msg:"MALWARE-BACKDOOR Remote PC Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|",depth 12; metadata:ruleset community; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD Root directory traversal attempt"; flow:to_server,established; content:"CWD",nocase; content:"C|3A 5C|",distance 1; metadata:ruleset community; service:ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 ( msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|",depth 2,offset 2; content:"|00 01|",depth 2,offset 8; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ikonboard.cgi access"; flow:to_server,established; http_uri; content:"/ikonboard.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP swsrv.cgi access"; flow:to_server,established; http_uri; content:"/swsrv.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS nsiislog.dll access"; flow:to_server,established; http_uri; content:"/nsiislog.dll",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS IISProtect siteadmin.asp access"; flow:to_server,established; http_uri; content:"/iisprotect/admin/SiteAdmin.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS IISProtect access"; flow:to_server,established; http_uri; content:"/iisprotect/admin/",nocase; metadata:ruleset community; service:http; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; http_uri; content:"/en/admin/aggregate.asp",nocase; metadata:ruleset community; service:http; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MS BizTalk server access"; flow:to_server,established; http_uri; content:"/biztalkhttpreceive.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-016; classtype:web-application-activity; sid:2133; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS register.asp access"; flow:to_server,established; http_uri; content:"/register.asp",nocase; metadata:ruleset community; service:http; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP philboard.mdb access"; flow:to_server,established; http_uri; content:"/philboard.mdb"; metadata:ruleset community; service:http; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP philboard_admin.asp authentication bypass attempt"; flow:to_server,established; http_uri; content:"/philboard_admin.asp"; pkt_data; content:"Cookie",nocase; content:"philboard_admin=True",distance 0; metadata:ruleset community; service:http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP philboard_admin.asp access"; flow:to_server,established; http_uri; content:"/philboard_admin.asp"; metadata:ruleset community; service:http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP logicworks.ini access"; flow:to_server,established; http_uri; content:"/logicworks.ini"; metadata:ruleset community; service:http; reference:bugtraq,6996; reference:cve,2003-1383; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP /*.shtml access"; flow:to_server,established; http_uri; content:"/*.shtml"; metadata:ruleset community; service:http; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP p-news.php access"; flow:to_server,established; http_uri; content:"/p-news.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shoutbox.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/shoutbox.php"; pkt_data; content:"conf="; content:"../",distance 0; metadata:ruleset community; service:http; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shoutbox.php access"; flow:to_server,established; http_uri; content:"/shoutbox.php",fast_pattern,nocase; content:"conf=",nocase; metadata:ruleset community; service:http; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; http_uri; content:"/gm-2-b2.php",fast_pattern,nocase; pkt_data; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php access"; flow:to_server,established; http_uri; content:"/gm-2-b2.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TextPortal admin.php default password admin attempt"; flow:to_server,established; http_uri; content:"/admin.php"; pkt_data; content:"op=admin_enter"; content:"password=admin",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2145; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; http_uri; content:"/admin.php"; pkt_data; content:"op=admin_enter"; content:"password=12345",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2146; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; http_uri; content:"/objects.inc.php4"; pkt_data; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:ruleset community; service:http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BLNews objects.inc.php4 access"; flow:to_server,established; http_uri; content:"/objects.inc.php4"; metadata:ruleset community; service:http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Turba status.php access"; flow:to_server,established; http_uri; content:"/turba/status.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttCMS header.php remote file include attempt"; flow:to_server,established; http_uri; content:"/admin/templates/header.php",fast_pattern,nocase; content:"admin_root=",nocase; pcre:"/admin_root=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttCMS header.php access"; flow:to_server,established; http_uri; content:"/admin/templates/header.php"; metadata:ruleset community; service:http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test.php access"; flow:to_server,established; http_uri; content:"/test.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP autohtml.php directory traversal attempt"; flow:to_server,established; http_uri; content:"/autohtml.php",fast_pattern,nocase; pkt_data; content:"name="; content:"../../",distance 0; metadata:ruleset community; service:http; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP autohtml.php access"; flow:to_server,established; http_uri; content:"/autohtml.php"; metadata:ruleset community; service:http; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ttforum remote file include attempt"; flow:to_server,established; http_uri; content:"forum/index.php"; content:"template="; pcre:"/template=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,7542; reference:bugtraq,7543; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP mod_gzip_status access"; flow:to_server,established; http_uri; content:"/mod_gzip_status"; metadata:ruleset community; service:http; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS IISProtect globaladmin.asp access"; flow:to_server,established; http_uri; content:"/iisprotect/admin/GlobalAdmin.asp",nocase; metadata:ruleset community; service:http; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:14; )
alert tcp any any <> any 179 ( msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:12; )
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 ( msg:"SERVER-OTHER BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|",depth 16; content:"|00|",within 1,distance 2; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",depth 5,offset 4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|",distance 0,nocase; metadata:ruleset community; service:netbios-ssn; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2176; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",depth 5,offset 4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p",distance 0,nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2177; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP USER format string attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; classtype:misc-attack; sid:2179; rev:16; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community; service:http; classtype:policy-violation; sid:2180; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol",depth 20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding",nocase; content:"|3A|",distance 0; isdataat:100,relative; content:!"|0A|",within 100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A[^\n]{100}/im"; metadata:ruleset community; service:smtp; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|",depth 5,offset 16; content:"|00 00 00 01|",within 4,distance 3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 ( msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|",depth 1; content:"|0B|",within 1,distance 1; byte_test:1,&,1,0,relative; content:"|00|",within 1,distance 21; metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|05|",within 1,distance 2; content:"|0B|",within 1,distance 1; byte_test:1,&,1,0,relative; content:"|00|",within 1,distance 21; metadata:ruleset community; service:netbios-ssn; classtype:attempted-dos; sid:2191; rev:6; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CSMailto.cgi access"; flow:to_server,established; http_uri; content:"/CSMailto.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP alert.cgi access"; flow:to_server,established; http_uri; content:"/alert.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP catgy.cgi access"; flow:to_server,established; http_uri; content:"/catgy.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvsview2.cgi access"; flow:to_server,established; http_uri; content:"/cvsview2.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvslog.cgi access"; flow:to_server,established; http_uri; content:"/cvslog.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP multidiff.cgi access"; flow:to_server,established; http_uri; content:"/multidiff.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dnewsweb.cgi access"; flow:to_server,established; http_uri; content:"/dnewsweb.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Matt Wright download.cgi access"; flow:to_server,established; http_uri; content:"/download.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Webmin Directory edit_action.cgi access"; flow:to_server,established; http_uri; content:"/edit_action.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Leif M. Wright everythingform.cgi access"; flow:to_server,established; http_uri; content:"/everythingform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP EasyBoard 2000 ezadmin.cgi access"; flow:to_server,established; http_uri; content:"/ezadmin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP EasyBoard 2000 ezboard.cgi access"; flow:to_server,established; http_uri; content:"/ezboard.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP EasyBoard 2000 ezman.cgi access"; flow:to_server,established; http_uri; content:"/ezman.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP FileSeek fileseek.cgi access"; flow:to_server,established; http_uri; content:"/fileseek.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Faq-O-Matic fom.cgi access"; flow:to_server,established; http_uri; content:"/fom.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Infonautics getdoc.cgi access"; flow:to_server,established; http_uri; content:"/getdoc.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Multiple Vendors global.cgi access"; flow:to_server,established; http_uri; content:"/global.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lars Ellingsen guestserver.cgi access"; flow:to_server,established; http_uri; content:"/guestserver.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiCentral WebStore imageFolio.cgi access"; flow:to_server,established; http_uri; content:"/imageFolio.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oatmeal Studios Mail File mailfile.cgi access"; flow:to_server,established; http_uri; content:"/mailfile.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP 3R Soft MailStudio 2000 mailview.cgi access"; flow:to_server,established; http_uri; content:"/mailview.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Alabanza Control Panel nsManager.cgi access"; flow:to_server,established; http_uri; content:"/nsManager.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ipswitch IMail readmail.cgi access"; flow:to_server,established; http_uri; content:"/readmail.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ipswitch IMail printmail.cgi access"; flow:to_server,established; http_uri; content:"/printmail.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Cobalt RaQ service.cgi access"; flow:to_server,established; http_uri; content:"/service.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Trend Micro Interscan VirusWall setpasswd.cgi access"; flow:to_server,established; http_uri; content:"/setpasswd.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Leif M. Wright simplestmail.cgi access"; flow:to_server,established; http_uri; content:"/simplestmail.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiCentral WebStore ws_mail.cgi access"; flow:to_server,established; http_uri; content:"/ws_mail.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi access"; flow:to_server,established; http_uri; content:"/nph-exploitscanget.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established; http_uri; content:"/csNews.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4994; reference:cve,2002-0923; reference:cve,2002-1751; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Psunami Bulletin Board psunami.cgi access"; flow:to_server,established; http_uri; content:"/psunami.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys BEFSR41 gozila.cgi access"; flow:to_server,established; http_uri; content:"/gozila.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pmachine remote file include attempt"; flow:to_server,established; http_uri; content:"lib.inc.php",fast_pattern,nocase; content:"pm_path="; pcre:"/pm_path=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP forum_details.php access"; flow:to_server,established; http_uri; content:"forum_details.php"; metadata:ruleset community; service:http; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; http_uri; content:"db_details_importdocsql.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP viewtopic.php access"; flow:to_server,established; http_uri; content:"/viewtopic.php",fast_pattern,nocase; content:"days=",nocase; metadata:ruleset community; service:http; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP NetGear router default password login attempt admin/password"; flow:to_server,established; http_header; content:"Authorization|3A|",nocase; content:"YWRtaW46cGFzc3dvcmQ",nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/ims"; metadata:ruleset community; service:http; reference:nessus,11737; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:2230; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP register.dll access"; flow:to_server,established; http_uri; content:"/register.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ContentFilter.dll access"; flow:to_server,established; http_uri; content:"/ContentFilter.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SFNofitication.dll access"; flow:to_server,established; http_uri; content:"/SFNofitication.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TOP10.dll access"; flow:to_server,established; http_uri; content:"/TOP10.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SpamExcp.dll access"; flow:to_server,established; http_uri; content:"/SpamExcp.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP spamrule.dll access"; flow:to_server,established; http_uri; content:"/spamrule.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cgiWebupdate.exe access"; flow:to_server,established; http_uri; content:"/cgiWebupdate.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebLogic ConsoleHelp view source attempt"; flow:to_server,established; http_uri; content:"/ConsoleHelp/",nocase; content:".jsp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP redirect.exe access"; flow:to_server,established; http_uri; content:"/redirect.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2239; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP changepw.exe access"; flow:to_server,established; http_uri; content:"/changepw.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2240; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cwmail.exe access"; flow:to_server,established; http_uri; content:"/cwmail.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ddicgi.exe access"; flow:to_server,established; http_uri; content:"/ddicgi.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ndcgi.exe access"; flow:to_server,established; http_uri; content:"/ndcgi.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP VsSetCookie.exe access"; flow:to_server,established; http_uri; content:"/VsSetCookie.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Webnews.exe access"; flow:to_server,established; http_uri; content:"/Webnews.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webadmin.dll access"; flow:to_server,established; http_uri; content:"/webadmin.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS UploadScript11.asp access"; flow:to_server,established; http_uri; content:"/UploadScript11.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,3608; reference:cve,2001-0938; reference:nessus,11746; classtype:web-application-activity; sid:2247; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS DirectoryListing.asp access"; flow:to_server,established; http_uri; content:"/DirectoryListing.asp",nocase; metadata:ruleset community; service:http; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /pcadmin/login.asp access"; flow:to_server,established; http_uri; content:"/pcadmin/login.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP USER format string attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s+[^\n]*?%/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|05|",within 1; content:"|0B|",within 1,distance 1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W",within 16,distance 29; tag:session,packets 5; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50",fast_pattern,nocase; pcre:"/^XEXCH50\s+-\d/ims"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2253; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|",depth 4,offset 16; content:"|00 00 00 01 00 00 00 01|",within 8,distance 4; byte_jump:4,8,relative,align; content:"|00 00 00 00|",within 4; metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: ( msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|",depth 4,offset 12; content:"|00 00 00 01 00 00 00 01|",within 8,distance 4; byte_jump:4,8,relative,align; content:"|00 00 00 00|",within 4; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:misc-attack; sid:2256; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 135 ( msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|",depth 2; byte_test:1,>,15,2,relative; byte_jump:4,86,relative,little,align; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,relative,little; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%",depth 5,offset 4,nocase; content:"&|00|",within 2,distance 56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|",within 12,distance 5,nocase; content:"|04 00|",within 2; byte_test:1,>,15,2,relative; byte_jump:4,86,relative,little,align; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,relative,little; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL EXPN overflow attempt"; flow:to_server,established; content:"EXPN",nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL VRFY overflow attempt"; flow:to_server,established; content:"VRFY",nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SEND FROM prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|",fast_pattern,nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SEND FROM prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|",fast_pattern,nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2262; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SAML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|",fast_pattern,nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SAML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|",fast_pattern,nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2264; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SOML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|",fast_pattern,nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail SOML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|",fast_pattern,nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2266; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail MAIL FROM prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|",fast_pattern,nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:15; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail MAIL FROM prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|",fast_pattern,nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:attempted-admin; sid:2268; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail RCPT TO prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|",fast_pattern,nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</ims"; metadata:ruleset community; service:smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:15; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail RCPT TO prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|",fast_pattern,nocase; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:cve,2003-0694; reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:18; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:ruleset community; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST",fast_pattern,nocase; pcre:"/^LIST\s+\x22-W\s+\d+/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN",fast_pattern,nocase; detection_filter:track by_dst,count 30,seconds 30; metadata:ruleset community; service:imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2273; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER",fast_pattern,nocase; detection_filter:track by_dst,count 30,seconds 30; metadata:ruleset community; service:pop3; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2274; rev:11; )
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL AUTH LOGON brute force attempt"; flow:to_client,established,no_stream; content:"Authentication unsuccessful",offset 54,nocase; detection_filter:track by_dst,count 5,seconds 60; metadata:ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2275; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP oracle portal demo access"; flow:to_server,established; http_uri; content:"/pls/portal/PORTAL_DEMO",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; http_uri; content:"/psdoccgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP HTTP request with negative Content-Length attempt"; flow:to_server,established; http_header; content:"Content-Length|3A|",nocase; content:!"|0D|",within 10; content:!"|0A|",within 10; pcre:"/Content-Length\x3A\s*[2-9][0-9]{9}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,16354; reference:bugtraq,17879; reference:bugtraq,54055; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; reference:cve,2005-3653; reference:cve,2006-2162; reference:cve,2006-3655; reference:cve,2014-9192; reference:cve,2015-5343; reference:cve,2017-1000470; classtype:misc-attack; sid:2278; rev:36; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP UpdateClasses.php access"; flow:to_server,established; http_uri; content:"/UpdateClasses.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Title.php access"; flow:to_server,established; http_uri; content:"/Title.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Setup.php access"; flow:to_server,established; http_uri; content:"/Setup.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; reference:cve,2009-1151; classtype:web-application-activity; sid:2281; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP GlobalFunctions.php access"; flow:to_server,established; http_uri; content:"/GlobalFunctions.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DatabaseFunctions.php access"; flow:to_server,established; http_uri; content:"/DatabaseFunctions.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rolis guestbook remote file include attempt"; flow:to_server,established; http_uri; content:"/insert.inc.php",fast_pattern,nocase; pkt_data; content:"path="; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rolis guestbook access"; flow:to_server,established; http_uri; content:"/insert.inc.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP friends.php access"; flow:to_server,established; http_uri; content:"/friends.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_comment.php access"; flow:to_server,established; http_uri; content:"/admin_comment.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_edit.php access"; flow:to_server,established; http_uri; content:"/admin_edit.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_embed.php access"; flow:to_server,established; http_uri; content:"/admin_embed.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_help.php access"; flow:to_server,established; http_uri; content:"/admin_help.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_license.php access"; flow:to_server,established; http_uri; content:"/admin_license.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_logout.php access"; flow:to_server,established; http_uri; content:"/admin_logout.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_password.php access"; flow:to_server,established; http_uri; content:"/admin_password.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_preview.php access"; flow:to_server,established; http_uri; content:"/admin_preview.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_settings.php access"; flow:to_server,established; http_uri; content:"/admin_settings.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_stats.php access"; flow:to_server,established; http_uri; content:"/admin_stats.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; http_uri; content:"/admin_templates_misc.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_templates.php access"; flow:to_server,established; http_uri; content:"/admin_templates.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; http_uri; content:"/admin_tpl_misc_new.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; http_uri; content:"/admin_tpl_new.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll booth.php access"; flow:to_server,established; http_uri; content:"/booth.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll poll_ssi.php access"; flow:to_server,established; http_uri; content:"/poll_ssi.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Advanced Poll popup.php access"; flow:to_server,established; http_uri; content:"/popup.php",fast_pattern,nocase; content:"include_path=",nocase; metadata:ruleset community; service:http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP files.inc.php access"; flow:to_server,established; http_uri; content:"/files.inc.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8910; reference:cve,2003-1153; classtype:web-application-activity; sid:2304; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP chatbox.php access"; flow:to_server,established; http_uri; content:"/chatbox.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8930; reference:cve,2003-1191; classtype:web-application-activity; sid:2305; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP gallery remote file include attempt"; flow:to_server,established; http_uri; content:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,8814; reference:cve,2003-1227; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PayPal Storefront remote file include attempt"; flow:to_server,established; http_uri; content:"do=ext"; content:"page="; pcre:"/page=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:15; )
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE CVS non-relative path error response"; flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2317; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( msg:"SERVER-OTHER CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"/^Argument\s+\//ims"; pcre:"/^Directory/Rims"; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 ( msg:"SERVER-OTHER ebola PASS overflow attempt"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s[^\n]{49}/ims"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 ( msg:"SERVER-OTHER ebola USER overflow attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s[^\n]{49}/ims"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:7; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS foxweb.exe access"; flow:to_server,established; http_uri; content:"/foxweb.exe",nocase; metadata:ruleset community; service:http; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS foxweb.dll access"; flow:to_server,established; http_uri; content:"/foxweb.dll",nocase; metadata:ruleset community; service:http; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP iSoft-Solutions QuickStore shopping cart quickstore.cgi access"; flow:to_server,established; http_uri; content:"/quickstore.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; http_uri; content:"/shopsearch.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; http_uri; content:"/ShopDisplayProducts.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS sgdynamo.exe access"; flow:to_server,established; http_uri; content:"/sgdynamo.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bsml.pl access"; flow:to_server,established; http_uri; content:"/bsml.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP authentication_index.php access"; flow:to_server,established; http_uri; content:"/authentication_index.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:15; )
alert udp $EXTERNAL_NET any -> $SQL_SERVERS any ( msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|",depth 1; byte_test:2,>,512,1; content:"|3B|",distance 0; isdataat:512,relative; content:!"|3B|",within 512; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP auth overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative; content:!"|0A|",within 368; metadata:ruleset community; service:imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP MatrikzGB privilege escalation attempt"; flow:to_server,established; http_uri; content:"new_rights=admin",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP MKD format string attempt"; flow:to_server,established; content:"MKD",fast_pattern,nocase; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME",fast_pattern,nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 ( msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER",nocase; content:"y049575046",fast_pattern,nocase; pcre:"/^USER\s+y049575046/ims"; metadata:ruleset community; reference:bugtraq,9072; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2334; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 ( msg:"PROTOCOL-FTP RMD / attempt"; flow:to_server,established; content:"RMD",fast_pattern,nocase; pcre:"/^RMD\s+\x2f$/ims"; metadata:ruleset community; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10; )
alert udp any any -> any 69 ( msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|",depth 1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|",within 100,distance 2; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST",nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,10181; reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992; reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003; classtype:misc-attack; sid:2338; rev:35; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|",depth 2; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE",nocase; content:"CHMOD",distance 0,nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DCP-Portal remote file include editor script attempt"; flow:to_server,established; http_uri; content:"/library/editor/editor.php",fast_pattern,nocase; content:"root="; metadata:ruleset community; service:http; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP DCP-Portal remote file include lib script attempt"; flow:to_server,established; http_uri; content:"/library/lib.php",fast_pattern,nocase; content:"root="; metadata:ruleset community; service:http; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP STOR overflow attempt"; flow:to_server,established; content:"STOR",nocase; isdataat:200,relative; content:!"|0D|",within 200; content:!"|0A|",within 200; content:!"|00|",within 200; metadata:ruleset community; service:ftp; reference:bugtraq,8668; reference:cve,2000-0133; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:2343; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD",nocase; isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,11542; reference:bugtraq,8704; reference:cve,2004-2728; classtype:attempted-admin; sid:2344; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PhpGedView search.php access"; flow:to_server,established; http_uri; content:"/search.php",nocase; content:"action=soundex",fast_pattern,nocase; content:"firstname=",nocase; metadata:ruleset community; service:http; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP myPHPNuke chatheader.php access"; flow:to_server,established; http_uri; content:"/chatheader.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP myPHPNuke partner.php access"; flow:to_server,established; http_uri; content:"/partner.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP IdeaBox cord.php file include"; flow:to_server,established; http_uri; content:"/index.php",nocase; pkt_data; content:"ideaDir=",fast_pattern,nocase; content:"cord.php",nocase; metadata:ruleset community; service:http; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP IdeaBox notification.php file include"; flow:to_server,established; http_uri; content:"/index.php",nocase; pkt_data; content:"gorumDir=",fast_pattern,nocase; content:"notification.php",nocase; metadata:ruleset community; service:http; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision Board emailer.php file include"; flow:to_server,established; http_uri; content:"/ad_member.php",fast_pattern,nocase; content:"emailer.php",nocase; metadata:ruleset community; service:http; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebChat db_mysql.php file include"; flow:to_server,established; http_uri; content:"/defines.php",nocase; pkt_data; content:"WEBCHATPATH=",nocase; content:"db_mysql.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2356; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebChat english.php file include"; flow:to_server,established; http_uri; content:"/defines.php",nocase; pkt_data; content:"WEBCHATPATH=",nocase; content:"english.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2357; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Typo3 translations.php file include"; flow:to_server,established; http_uri; content:"/translations.php",fast_pattern,nocase; pkt_data; content:"ONLY=",nocase; metadata:ruleset community; service:http; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision Board ipchat.php file include"; flow:to_server,established; http_uri; content:"/ipchat.php",nocase; pkt_data; content:"root_path="; content:"conf_global.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6976; reference:cve,2003-1385; classtype:web-application-attack; sid:2359; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP myphpPagetool pt_config.inc file include"; flow:to_server,established; http_uri; content:"/doc/admin",nocase; pkt_data; content:"ptinclude=",nocase; content:"pt_config.inc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP news.php file include"; flow:to_server,established; http_uri; content:"/news.php",fast_pattern,nocase; pkt_data; content:"template=",nocase; metadata:ruleset community; service:http; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP YaBB SE packages.php file include"; flow:to_server,established; http_uri; content:"/packages.php",fast_pattern,nocase; pkt_data; content:"packer.php",nocase; metadata:ruleset community; service:http; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Cyboards default_header.php access"; flow:to_server,established; http_uri; content:"/default_header.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Cyboards options_form.php access"; flow:to_server,established; http_uri; content:"/options_form.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP newsPHP Language file include attempt"; flow:to_server,established; http_uri; content:"/nphpd.php",fast_pattern,nocase; pkt_data; content:"LangFile",nocase; metadata:ruleset community; service:http; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; http_uri; content:"/authentication_index.php",nocase; pkt_data; content:"PGV_BASE_DIRECTORY",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; http_uri; content:"/functions.php",nocase; pkt_data; content:"PGV_BASE_DIRECTORY",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; http_uri; content:"/config_gedcom.php",nocase; pkt_data; content:"PGV_BASE_DIRECTORY",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ISAPISkeleton.dll access"; flow:to_server,established; http_uri; content:"/ISAPISkeleton.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9516; reference:cve,2004-2128; classtype:web-application-activity; sid:2369; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BugPort config.conf file access"; flow:to_server,established; http_uri; content:"/config.conf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9542; reference:cve,2004-2353; classtype:attempted-recon; sid:2370; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Sample_showcode.html access"; flow:to_server,established; http_uri; content:"/Sample_showcode.html",nocase; pkt_data; content:"fname"; metadata:ruleset community; service:http; reference:bugtraq,9555; reference:cve,2004-2170; classtype:web-application-activity; sid:2371; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Photopost PHP Pro showphoto.php access"; flow:to_server,established; http_uri; content:"/showphoto.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9557; reference:cve,2004-0239; reference:cve,2004-0250; classtype:web-application-activity; sid:2372; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD",nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST",nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 ( msg:"MALWARE-CNC DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established; content:"|85 13|<|9E A2|",depth 5; metadata:ruleset community; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|",depth 1,offset 16; byte_test:2,>,2043,30; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|",depth 1,offset 28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|",within 1,distance -4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|",within 1,distance -4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|",within 1,distance -4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established; http_header; content:"Authorization|3A|",nocase; content:"Negotiate",within 20,nocase; content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM",within 100; metadata:ruleset community; service:http; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:attempted-dos; sid:2386; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Apple QuickTime streaming server view_broadcast.cgi access"; flow:to_server,established; http_uri; content:"/view_broadcast.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO",nocase; isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,15457; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; reference:cve,2005-3683; classtype:attempted-admin; sid:2389; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP STOU overflow attempt"; flow:to_server,established; content:"STOU",nocase; isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP APPE overflow attempt"; flow:to_server,established; content:"APPE",nocase; isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; reference:cve,2003-0772; classtype:attempted-admin; sid:2391; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RETR overflow attempt"; flow:to_server,established; content:"RETR",nocase; isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,15457; reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,2005-3683; classtype:attempted-admin; sid:2392; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /_admin access"; flow:to_server,established; http_uri; content:"/_admin/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9537; reference:cve,2007-1156; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 ( msg:"SERVER-WEBAPP Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!",depth 75; content:">",within 50; metadata:ruleset community; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP InteractiveQuery.jsp access"; flow:to_server,established; http_uri; content:"/InteractiveQuery.jsp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/whereami.cgi?",nocase; content:"g=",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP CCBill whereami.cgi access"; flow:to_server,established; http_uri; content:"/whereami.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; http_uri; content:"newsletter.php",nocase; pkt_data; content:"waroot",fast_pattern,nocase; content:"start.php",nocase; metadata:ruleset community; service:http; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WAnewsletter db_type.php access"; flow:to_server,established; http_uri; content:"/sql/db_type.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP edittag.pl access"; flow:to_server,established; http_uri; content:"/edittag.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6675; reference:cve,2003-1351; classtype:web-application-activity; sid:2400; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Session Setup andx username overflow attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"s",depth 1,offset 39; byte_jump:2,0,relative,little; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|",within 255,distance 29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2401; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Session Setup andx username overflow attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"s",depth 1,offset 39; byte_jump:2,0,relative,little; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|",within 255,distance 29; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2402; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMBs",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/Rs"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|",within 510,distance 29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2403; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"s",depth 1,offset 39; byte_jump:2,0,relative,little; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|",within 510,distance 29; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2404; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phptest.php access"; flow:to_server,established; http_uri; content:"/phptest.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9737; reference:cve,2004-2374; classtype:web-application-activity; sid:2405; rev:14; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP util.pl access"; flow:to_server,established; http_uri; content:"/util.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9748; reference:cve,2004-2379; classtype:web-application-activity; sid:2407; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Invision Power Board search.pl access"; flow:to_server,established; http_uri; content:"/search.pl"; pkt_data; content:"st=",nocase; metadata:ruleset community; service:http; reference:bugtraq,9766; reference:cve,2004-0338; classtype:web-application-activity; sid:2408; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP APOP USER overflow attempt"; flow:to_server,established; content:"APOP",nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,9794; reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; http_uri; content:"/page.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 554 ( msg:"SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE",nocase; content:"../",distance 1; pcre:"/^DESCRIBE\s[^\n]{300}/ims"; metadata:ruleset community; reference:bugtraq,8476; reference:cve,2003-0725; reference:nessus,11642; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:16; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:ruleset community; classtype:successful-user; sid:2412; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|",depth 1,offset 16; content:"|0C|",depth 1,offset 28; content:"|00 04|",depth 2,offset 30; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|",depth 1,offset 16; content:"|00 0C 00 00 00 01 01 00 06 02|",depth 10,offset 30; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|",depth 1,offset 28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|",within 10,distance -2; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM",fast_pattern,nocase; pcre:"/^MDTM \d+[-+]\D/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%",fast_pattern,nocase; pcre:"/\s+.*?%.*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect; sid:2417; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"POLICY-OTHER Microsoft Windows Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|",depth 3; content:"|00|",depth 1,offset 288; metadata:ruleset community; reference:cve,2001-0663; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; http_uri; content:".ra",fast_pattern,nocase; pcre:"/\x2eram?([\?\x5c\x2f]|$)/ims"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:30; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; http_uri; content:".rmp",fast_pattern,nocase; pcre:"/\x2ermp([\?\x5c\x2f]|$)/ims"; flowbits:set,file.rmp; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:33; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; http_uri; content:".rt",fast_pattern,nocase; pcre:"/\x2ert([\?\x5c\x2f]|$)/ims"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:31; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; http_uri; content:".rp",fast_pattern,nocase; pcre:"/\x2erp([\?\x5c\x2f]|$)/ims"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:30; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys",fast_pattern,nocase; pcre:"/^sendsys\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname",fast_pattern,nocase; pcre:"/^senduuname\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2425; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP version overflow attempt"; flow:to_server,established; content:"version",fast_pattern,nocase; pcre:"/^version\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups",fast_pattern,nocase; pcre:"/^checkgroups\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2427; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave",fast_pattern,nocase; pcre:"/^ihave\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2428; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme",fast_pattern,nocase; pcre:"/^sendme\x3a[^\n]{21}/ims"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2429; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup",fast_pattern,nocase; pcre:"/^newgroup\x3a[^\n]{32}/ims"; metadata:ruleset community; service:nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup",fast_pattern,nocase; pcre:"/^rmgroup\x3a[^\n]{32}/ims"; metadata:ruleset community; service:nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2431; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP article post without path attempt"; flow:to_server,established; content:"takethis",fast_pattern,nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/is"; metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 ( msg:"SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; content:"/form2raw.cgi",fast_pattern,nocase; pcre:"/\Wfrom=[^\x3b&\n]{100}/is"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft emf file download request"; flow:to_server,established; http_uri; content:".emf",fast_pattern,nocase; pcre:"/\x2eemf([\?\x5c\x2f]|$)/ims"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; gid:1; sid:2435; rev:34; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; http_uri; content:".wmf",fast_pattern,nocase; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/ims"; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:31; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"file|3A|//",nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2004-0550; reference:cve,2005-0755; classtype:attempted-user; gid:1; sid:2438; rev:24; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"http|3A|//",nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2004-0550; reference:cve,2005-0755; classtype:attempted-user; gid:1; sid:2439; rev:24; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"rtsp|3A|//",nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2004-0550; reference:cve,2005-0755; classtype:attempted-user; gid:1; sid:2440; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0",nocase; http_cookie; content:"login=0",nocase; metadata:ruleset community; service:http; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:14; )
alert udp any 4000 -> any any ( msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|",depth 2; content:"|12 02|",within 2,distance 5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|",within 2,distance 5; content:"|05 00|"; content:"|DE 03|",within 2,distance 5; byte_test:2,>,512,-11,relative,little; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ServletManager access"; flow:to_server,established; http_uri; content:"/servlet/ServletManager",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP setinfo.hts access"; flow:to_server,established; http_uri; content:"/setinfo.hts",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9973; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO",nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9953; reference:cve,2004-1883; reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM successful logon"; flow:to_client,established; content:"YMSG",depth 4,nocase; content:"|00 01|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2450; rev:9; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM voicechat"; flow:to_client,established; content:"YMSG",depth 4,nocase; content:"|00|J",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2451; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 ( msg:"POLICY-SOCIAL Yahoo IM ping"; flow:to_server,established; content:"YMSG",depth 4,nocase; content:"|00 12|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2452; rev:9; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM conference invitation"; flow:to_client,established; content:"YMSG",depth 4,nocase; content:"|00 18|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2453; rev:9; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM conference logon success"; flow:to_client,established; content:"YMSG",depth 4,nocase; content:"|00 19|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2454; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 ( msg:"POLICY-SOCIAL Yahoo IM conference message"; flow:to_server,established; content:"YMSG",depth 4,nocase; content:"|00 1D|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2455; rev:8; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG",depth 4; content:"|00|M",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2456; rev:9; )
alert tcp any any <> any 5101 ( msg:"POLICY-SOCIAL Yahoo IM message"; flow:established; content:"YMSG",depth 4,nocase; metadata:ruleset community; classtype:policy-violation; sid:2457; rev:7; )
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM successful chat join"; flow:to_client,established; content:"YMSG",depth 4,nocase; content:"|00 98|",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2458; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 ( msg:"POLICY-SOCIAL Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG",depth 4,nocase; content:"|00|P",depth 2,offset 10; metadata:ruleset community; classtype:policy-violation; sid:2459; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 ( msg:"POLICY-SOCIAL Yahoo IM conference request"; flow:to_server,established; content:"<R",depth 2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ims"; metadata:ruleset community; classtype:policy-violation; sid:2460; rev:9; )
alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any ( msg:"POLICY-SOCIAL Yahoo IM conference watch"; flow:to_client,established; content:"|0D 00 05 00|",depth 4; metadata:ruleset community; classtype:policy-violation; sid:2461; rev:10; )
alert ip any any -> any any ( msg:"SERVER-OTHER Ethereal IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:10; )
alert ip any any -> any any ( msg:"SERVER-OTHER Ethereal IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:10; )
alert ip any any -> any any ( msg:"SERVER-OTHER Ethereal EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMBu",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,relative,little; content:"ADMIN|24 00|",distance 2,nocase; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:2474; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP source.jsp access"; flow:to_server,established; http_uri; content:"/source.jsp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:9; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-user; sid:2485; rev:19; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|",depth 1,offset 16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL WinZip MIME content-type buffer overflow"; flow:to_server,established; content:"Content-Type|3A|",fast_pattern,nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/ims"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL WinZip MIME content-disposition buffer overflow"; flow:to_server,established; content:"Content-Type|3A|",fast_pattern,nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/ims"; content:"Content-Disposition|3A|",nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/ims"; metadata:ruleset community; service:smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>",nocase; isdataat:1040,relative; content:!"</STREAMQUOTE>",within 1040,nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>",nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>",within 1052,nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2490; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24; )
alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:uuid 3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:"9"; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop,ruleset community; service:netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:22; )
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 ( msg:"SERVER-OTHER BGP spoofed connection reset attempt"; flow:established,no_stream; flags:FRS*; detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 548 ( msg:"SERVER-OTHER AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|",depth 2; content:"?",within 1,distance 14; content:"cleartxt passwrd",nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM",nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP Web JetAdmin remote file upload attempt"; flow:to_server,established; http_uri; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP Web JetAdmin setinfo access attempt"; flow:to_server,established; http_uri; content:"/plugins/hpjdwm/script/test/setinfo.hts",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,9972; reference:cve,2004-1856; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; http_uri; content:"/plugins/framework/script/tree.xms",fast_pattern,nocase; http_client_body; content:"WriteToFile",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:7; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|",nocase; byte_test:1,!=,26,20,relative; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2004-1896; reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 ( msg:"SERVER-OTHER Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/ms"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 ( msg:"SERVER-OTHER rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir",fast_pattern,nocase; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset community; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 81 ( msg:"SERVER-WEBAPP McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file",nocase; content:"Command=BEGIN",nocase; metadata:ruleset community; service:http; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:9; )
alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 ( msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|",depth 2,offset 6; byte_test:1,>,32,12; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:8; )
alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 ( msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|",depth 2,offset 6; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP modules.php access"; flow:to_server,established; http_uri; content:"/modules.php",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9879; reference:cve,2004-1817; classtype:web-application-activity; sid:2565; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPBB viewforum.php access"; flow:to_server,established; http_uri; content:"/viewforum.php",nocase; content:"topic_id=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9865; reference:bugtraq,9866; reference:cve,2004-1809; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Emumail init.emu access"; flow:to_server,established; http_uri; content:"/init.emu",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Emumail emumail.fcgi access"; flow:to_server,established; http_uri; content:"/emumail.fcgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cPanel resetpass access"; flow:to_server,established; http_uri; content:"/resetpass",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9848; reference:cve,2004-1769; classtype:web-application-activity; sid:2569; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP invalid HTTP version string"; flow:to_server,established; content:" HTTP/",depth 300,nocase; isdataat:5,relative; content:!"0.9",within 3; content:!"1.0",within 3; content:!"1.1",within 3; pcre:!"/^[^\n]* HTTP\x2f(0\.9|1\.[01])\s*\n/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,34240; reference:bugtraq,9809; reference:cve,2009-0478; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; http_uri; content:"/frmGetAttachment.aspx",nocase; metadata:ruleset community; service:http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2571; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; http_uri; content:"/login.aspx",nocase; pkt_data; content:"txtusername="; isdataat:980,relative; content:!"|0A|",within 980,nocase; metadata:ruleset community; service:http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-attack; sid:2572; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; http_uri; content:"/frmCompose.aspx",nocase; metadata:ruleset community; service:http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2573; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RETR format string attempt"; flow:to_server,established; content:"RETR",fast_pattern,nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,9800; reference:cve,2004-1883; classtype:attempted-admin; sid:2574; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Opt-X header.php remote file include attempt"; flow:to_server,established; http_uri; content:"/header.php",nocase; pkt_data; content:"systempath=",fast_pattern,nocase; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:ruleset community; service:http; reference:bugtraq,9732; reference:cve,2004-2368; classtype:web-application-attack; sid:2575; rev:11; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:9; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-OTHER local resource redirection attempt"; flow:to_client,established; http_header; content:"Location|3A|",nocase; pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/ims"; metadata:ruleset community; service:http; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:10; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP server negative Content-Length attempt"; flow:to_client,established; content:"Content-Length",nocase; pcre:"/^Content-Length\s*\x3a\s*-\d+/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,10508; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SAP Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; http_uri; content:"/crystalimagehandler.aspx",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; http_uri; content:"/crystalimagehandler",fast_pattern,nocase; content:"dynamicimage=../",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot",fast_pattern,nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:9; )
alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any ( msg:"SERVER-OTHER eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG",fast_pattern,nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/ims"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; http_uri; content:"/NessusTest",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:9; )
alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any ( msg:"PUA-P2P eDonkey server response"; flow:to_client,established; content:"Server|3A| eMule",fast_pattern,nocase; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP TUTOS path disclosure attempt"; flow:to_server,established; http_uri; content:"/note_overview.php"; pkt_data; content:"id="; metadata:ruleset community; service:http; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:10; )
alert http any $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; http_header; content:"Content-Disposition|3A|",nocase; content:"{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"; content:"|2E|",within 50,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-024; classtype:attempted-user; gid:1; sid:2589; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Samba SWAT Authorization overflow attempt"; flow:to_server,established; http_header; content:"Authorization|3A|",nocase; content:"Basic",within 50,nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2597; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic",nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2598; rev:14; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2599; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2601; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text",nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2609; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE",nocase; content:"DATABASE",nocase; content:"LINK",nocase; pcre:"/USING\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rims"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,12296; reference:bugtraq,7453; reference:cve,2003-0222; reference:cve,2005-0297; reference:nessus,11563; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:12; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE",nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/ims"; metadata:ruleset community; reference:bugtraq,9587; reference:cve,2003-1208; reference:nessus,12047; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change",nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2641; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published",nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ",nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rims"; metadata:ruleset community; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2645; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS ( msg:"SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt"; flow:to_server,established; content:"connect_data",nocase; content:"|28|service_name=",nocase; isdataat:1000,relative; content:!"|29|",within 1000; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2002-0965; classtype:attempted-user; sid:2649; rev:8; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data",nocase; content:"|28|user=",nocase; isdataat:1000,relative; content:!"|29|",within 1000; metadata:ruleset community; reference:bugtraq,6849; reference:cve,2003-0095; reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO",nocase; content:"INTERVAL",distance 2,nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/ims"; metadata:ruleset community; reference:bugtraq,9587; reference:cve,2003-1208; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2652; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; http_uri; content:"/modules.php",nocase; pkt_data; content:"name=Forums"; content:"file=viewtopic",fast_pattern,nocase; pcre:"/forum=.*'/"; metadata:ruleset community; service:http; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-OTHER HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts",fast_pattern,nocase; content:"ExecuteFile",nocase; metadata:ruleset community; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg:"SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|",depth 3,offset 2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:policy max-detect-ips drop,ruleset community; service:ssl; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:2656; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg:"SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|",depth 3,offset 2; byte_test:2,>,32,9; metadata:policy max-detect-ips drop,ruleset community; service:ssl; classtype:attempted-admin; sid:2657; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ipswitch WhatsUpGold instancename overflow attempt"; flow:to_server,established; http_uri; content:"/_maincfgret.cgi",fast_pattern,nocase; content:"instancename=",nocase; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/ims"; metadata:ruleset community; service:http; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login format string attempt"; flow:to_server,established; content:"LOGIN",fast_pattern,nocase; pcre:"/\sLOGIN\s[^\n]*?%/ims"; metadata:ruleset community; service:imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2664; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP login literal format string attempt"; flow:to_server,established; content:"LOGIN",fast_pattern,nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/ims"; metadata:policy max-detect-ips drop,ruleset community; service:imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP PASS format string attempt"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s+[^\n]*?%/ims"; metadata:ruleset community; service:pop3; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2666; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ping.asp access"; flow:to_server,established; http_uri; content:"/ping.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP processit access"; flow:to_server,established; http_uri; content:"/processit.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ibillpm.pl access"; flow:to_server,established; http_uri; content:"/ibillpm.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3476; reference:cve,2001-0839; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pgpmail.pl access"; flow:to_server,established; http_uri; content:"/pgpmail.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:10; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; byte_test:4,>,2147480000,8,relative,little; metadata:ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,9663; reference:cve,2004-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:2671; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sresult.exe access"; flow:to_server,established; http_uri; content:"/sresult.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,10837; reference:cve,2004-2528; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:10; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE libpng tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR",within 4,distance 4; content:"tRNS",distance 0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:13; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2674; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2675; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2677; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2678; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2679; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2680; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2681; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2682; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2683; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2684; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2685; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2687; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2688; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2689; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2690; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2691; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2692; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2693; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2694; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2695; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/is"; metadata:ruleset community; classtype:attempted-user; sid:2696; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter",nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/ims"; metadata:ruleset community; classtype:attempted-user; sid:2697; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create",nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/ims"; metadata:ruleset community; classtype:attempted-user; sid:2698; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR",nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/ims"; metadata:ruleset community; reference:bugtraq,10871; reference:cve,2004-1364; classtype:attempted-user; sid:2699; rev:5; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; http_uri; content:"/isqlplus",nocase; pkt_data; pcre:"/sid=[^&\x3b\r\n]{255}/is"; metadata:ruleset community; service:http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle iSQLPlus username overflow attempt"; flow:to_server,established; http_uri; content:"/isqlplus",nocase; pkt_data; pcre:"/username=[^&\x3b\r\n]{255}/is"; metadata:ruleset community; service:http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; http_uri; content:"/login.uix",nocase; pkt_data; pcre:"/username=[^&\x3b\r\n]{250}/ims"; metadata:ruleset community; service:http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; http_uri; content:"/login.uix",nocase; pkt_data; content:"connectID=",nocase; isdataat:255,relative; pcre:"/connectID=[^&\x3b\r\n]{255}/ims"; metadata:ruleset community; service:http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:12; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_client,established; http_header; content:"Content-Type",nocase; content:"image/",nocase; pcre:"/^Content-Type\x3A\s*image\x2F/ims"; file_data; content:"|FF D8|",within 2,fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/Rs"; metadata:ruleset community; service:http; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:2705; rev:18; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|",fast_pattern,nocase; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:2707; rev:14; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:6; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor",nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition",nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor",nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object",nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:5; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:4; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS ( msg:"SERVER-ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup",nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/is"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:4; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:12; )
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any ( msg:"NETBIOS SMB repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs",depth 5,offset 4; content:"m|00 00 C0|",within 4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923; rev:14; )
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any ( msg:"NETBIOS SMB-DS repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs",depth 5,offset 4; content:"m|00 00 C0|",within 4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; service:netbios-ssn; classtype:unsuccessful-user; sid:2924; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PhpGedView PGV base directory manipulation"; flow:to_server,established; http_uri; content:"_conf.php",nocase; pkt_data; content:"PGV_BASE_DIRECTORY",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2926; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|",depth 5,nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established; dce_iface:uuid 2f5f3220-c126-1076-b549-074d078619da; dce_opnum:"12"; dce_stub_data; isdataat:256; content:!"|00|",depth 256,offset 12; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2936; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt"; flow:to_server,established; dce_iface:uuid 338cd001-2244-31f1-aaaa-900038001003; dce_opnum:"24"; metadata:ruleset community; service:netbios-ssn; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2942; rev:14; )
alert udp $EXTERNAL_NET 7808 -> $HOME_NET any ( msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|",depth 8; isdataat:160,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP command overflow attempt"; flow:to_server,established; content:"LOGIN"; isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11675; reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520; reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP delete literal overflow attempt"; flow:to_server,established; content:"DELETE",fast_pattern,nocase; pcre:"/\sDELETE\s[^\n]*?\{/ims"; byte_test:5,>,100,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,11675; reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 ( msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|",depth 6; content:"|05 00|",depth 2,offset 8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 ( msg:"MALWARE-CNC RUX the Tick get windows directory"; flow:to_server,established; content:"WINDIR",depth 6; metadata:ruleset community; classtype:misc-activity; sid:3010; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 ( msg:"MALWARE-CNC RUX the Tick get system directory"; flow:to_server,established; content:"SYSDIR",depth 6; metadata:ruleset community; classtype:misc-activity; sid:3011; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 ( msg:"MALWARE-CNC RUX the Tick upload/execute arbitrary file"; flow:to_server,established; content:"ABCJZDATEIV",depth 11; metadata:ruleset community; classtype:misc-activity; sid:3012; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 ( msg:"MALWARE-CNC Asylum 0.1 connection request"; flow:to_server,established; content:"RQS",depth 3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3013; rev:8; )
alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Asylum 0.1 connection"; flow:to_client,established; flowbits:isset,backdoor.asylum.connect; content:"GNT",depth 3; metadata:ruleset community; classtype:misc-activity; sid:3014; rev:10; )
alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Insane Network 4.0 connection"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|",depth 62; metadata:ruleset community; classtype:misc-activity; sid:3015; rev:10; )
alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Insane Network 4.0 connection port 63536"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|",depth 62; metadata:ruleset community; classtype:misc-activity; sid:3016; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:policy max-detect-ips drop,ruleset community; service:wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-15,relative,from_beginning,little; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; service:netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3042; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3043; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3044; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3045; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3046; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3047; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3048; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 12; byte_jump:4,12,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3049; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3050; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3051; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3052; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; classtype:protocol-command-decode; sid:3053; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3054; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,!&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3055; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB|A0|",within 5,distance 3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3056; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; byte_test:1,&,128,6,relative; content:"|A0|",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 37; byte_jump:4,-7,relative,from_beginning,little; pcre:"/^.{4}/R"; content:!"|00 00 00 00|",within 4,distance 16; byte_jump:4,16,relative,little; content:"|00 00|",within 2,distance -10; metadata:ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3057; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP copy literal overflow attempt"; flow:to_server,established; content:"COPY",fast_pattern,nocase; pcre:"/\sCOPY\s[^\n]*?\{/ims"; byte_test:5,>,1024,0,relative,string,dec; metadata:ruleset community; service:imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 ( msg:"APP-DETECT distccd remote command execution attempt"; flow:to_server,established; content:"DIST00000001",depth 12,nocase; metadata:ruleset community; reference:url,distcc.samba.org/security.html; classtype:policy-violation; sid:3061; rev:5; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; http_uri; content:"/delhomepage.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,9791; reference:cve,2004-0347; classtype:web-application-activity; sid:3062; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 ( msg:"MALWARE-BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello...",depth 8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3063; rev:6; )
alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Vampire 1.2 connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line.....",depth 32; metadata:ruleset community; classtype:misc-activity; sid:3064; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP append literal overflow attempt"; flow:to_server,established; content:"APPEND",fast_pattern,nocase; pcre:"/\sAPPEND\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3065; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP APPEND overflow attempt"; flow:to_server,established; content:"APPEND",nocase; isdataat:256,relative; content:!"|0D 0A|",within 256; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:to_server,established; content:"EXAMINE",fast_pattern,nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:to_server,established; content:"FETCH",fast_pattern,nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:to_server,established; content:"FETCH",nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP status literal overflow attempt"; flow:to_server,established; content:"STATUS",fast_pattern,nocase; pcre:"/\sSTATUS[^\n]*?\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3071; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP STATUS overflow attempt"; flow:to_server,established; content:"STATUS",nocase; isdataat:100,relative; content:!"|0D 0A|",within 100; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491; reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278; reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867; classtype:misc-attack; sid:3072; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:to_server,established; content:"SUBSCRIBE",fast_pattern,nocase; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/ims"; byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:to_server,established; content:"SUBSCRIBE",nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP unsubscribe literal overflow attempt"; flow:to_server,established; content:"UNSUBSCRIBE",fast_pattern,nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/ims"; byte_test:5,>,256,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3075; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 ( msg:"PROTOCOL-IMAP UNSUBSCRIBE overflow attempt"; flow:to_server,established; content:"UNSUBSCRIBE",nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867; classtype:attempted-admin; sid:3076; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR",nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/ims"; metadata:ruleset community; service:ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 ( msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|",depth 7,nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:13; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; content:"anih",distance 0,nocase; byte_test:4,>,36,0,relative,little; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:25; )
alert udp $EXTERNAL_NET any -> $HOME_NET 7787 ( msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|",fast_pattern,nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/ims"; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:9; )
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected",depth 9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient",depth 9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:13; )
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client",depth 7; metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 ( msg:"SERVER-OTHER Veritas backup overflow attempt"; flow:to_server,established; content:"|02 00|",depth 2; content:"|00|",within 1,distance 1; isdataat:72; content:!"|00|",depth 66,offset 6; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,11974; reference:cve,2004-1172; classtype:attempted-admin; sid:3084; rev:16; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message=",nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; http_uri; content:"/app_sta.stm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,11408; reference:cve,2004-1596; classtype:web-application-activity; sid:3086; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; http_uri; content:"/w3who.dll?",fast_pattern,nocase; bufferlen:>=519,relative; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; gid:1; sid:3087; rev:21; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda",nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 2048 ( msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|",depth 4; byte_test:4,>,32,16; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt"; flow:to_server,established; dce_iface:uuid 342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:"0"; dce_stub_data; byte_test:4,>,52,0,dce; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3114; rev:20; )
alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any ( msg:"PUA-OTHER Microsoft MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p",nocase; content:"|89|PNG|0D 0A 1A 0A|",distance 0; content:"IHDR",within 4,distance 4; content:"|03|",within 1,distance 9; content:"tRNS",distance 0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3130; rev:8; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mailman directory traversal attempt"; flow:to_server,established; http_uri; content:"/mailman/"; http_raw_uri; content:".../"; metadata:ruleset community; service:http; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:10; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR",within 8; byte_test:4,>,32767,0,relative; metadata:ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft Multiple Products PNG large image height download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR",within 8; byte_test:4,>,32767,4,relative; metadata:ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3133; rev:15; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IMAGE Microsoft PNG large colour depth download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR",within 8; byte_test:1,>,16,8,relative; metadata:ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3134; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; content:"|07 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|07 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; content:"|07 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|07 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; content:"|01 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:to_server,established; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; content:"|01 00|",within 2,distance 29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:11; )
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any ( msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3143; rev:17; )
alert tcp $HOME_NET 139 -> $EXTERNAL_NET any ( msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3144; rev:17; )
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any ( msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|",depth 1; content:"|FF|SMB2",within 5,distance 3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3145; rev:16; )
alert tcp $HOME_NET 445 -> $EXTERNAL_NET any ( msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|",depth 1; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/Rs"; content:"2",depth 1,offset 39; byte_jump:2,0,relative,little; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3146; rev:18; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; raw_data; content:"|FF FA|'|00 00|TTYPROMPT|01|",fast_pattern,nocase; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop,ruleset community; service:telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:15; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:21; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt"; flow:to_client,established; file_data; content:"object",nocase; content:"type",within 200,nocase; content:"////////////////////////////////",fast_pattern,nocase; pcre:"/object\s[^>]*type\s*=\s*[\x22\x27][^\x22\x27]*\x2f{32}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2003-0344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS SQLXML content type overflow"; flow:to_server,established; http_uri; pcre:"/\.x[sm]l/i"; content:"contenttype="; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/ims"; metadata:ruleset community; service:http; reference:bugtraq,5004; reference:cve,2002-0186; reference:nessus,11304; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-030; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/ims"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8; )
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa brute force failed login attempt"; flow:to_client,established,no_stream; content:"Login failed for user 'sa'",fast_pattern,nocase; detection_filter:track by_src,count 5,seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3152; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community; service:dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 ( msg:"MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:to_server,established; dce_iface:uuid 000001a0-0000-0000-c000-000000000046; dce_opnum:"1"; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|",distance 0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community; service:netbios-ssn; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3158; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:uuid 000001a0-0000-0000-c000-000000000046; dce_opnum:"1"; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|",distance 0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop,ruleset community; service:dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:uuid 975201b0-59ca-11d0-a8d5-00a0c90d8051; dce_opnum:"4"; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:16; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Media Player directory traversal via Content-Disposition attempt"; flow:to_client,established; http_header; content:".wmz",fast_pattern,nocase; content:"Content-Disposition|3A|",nocase; content:"filename=",nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/ims"; metadata:ruleset community; service:http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:3192; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cmd executable file parsing attack"; flow:to_server,established; http_uri; content:".cmd|22|",nocase; pcre:"/\x2ecmd\x22.*?\x26/ims"; metadata:ruleset community; service:http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .bat executable file parsing attack"; flow:to_server,established; http_uri; content:".bat|22|",nocase; pcre:"/\x2ebat\x22.*?\x26/ims"; metadata:ruleset community; service:http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 137 ( msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" ",offset 12; isdataat:56,relative; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 137 ( msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" ",offset 12; isdataat:56,relative; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" ",offset 12; isdataat:56,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 42 ( msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" ",offset 12; isdataat:56,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-IIS httpodbc.dll access - nimda"; flow:to_server,established; http_uri; content:"/httpodbc.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established; dce_iface:uuid 338cd001-2244-31f1-aaaa-900038001003; dce_opnum:"15"; dce_stub_data; byte_test:2,>,1024,20,dce; metadata:ruleset community; service:netbios-ssn; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 135 ( msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|",depth 2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|",within 16,distance 22; content:"|00 00|",within 2,distance 28; byte_jump:4,18,relative,little,align; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,8,relative,little; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:6; )
alert udp $EXTERNAL_NET any -> $HOME_NET 135 ( msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|",depth 2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|",within 16,distance 22; content:"|00 00|",within 2,distance 28; byte_jump:4,18,relative,align; byte_jump:4,8,relative,align; byte_test:4,>,1024,8,relative; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt"; flow:to_server,established; dce_iface:uuid b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:"1-2"; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,dce,align; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3238; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:uuid b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:"1-2"; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,dce,align; byte_test:4,>,1024,0,relative,dce; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:15; )
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src,count 5,seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3273; rev:10; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt "; flow:to_server,established; raw_data; content:"|FF FA|'|00 00|"; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/Ri"; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop,ruleset community; service:telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:uuid 000001a0-0000-0000-c000-000000000046; dce_opnum:"4"; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|",distance 0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:18; )
alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] ( msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:uuid 000001a0-0000-0000-c000-000000000046; dce_opnum:"4"; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|",distance 0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop,ruleset community; service:dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:uuid 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:"0"; dce_stub_data; byte_test:4,>,256,52,dce; metadata:policy max-detect-ips drop,ruleset community; service:dcerpc,netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established; content:"PORT",nocase; pcre:"/^PORT/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081; classtype:misc-attack; sid:3441; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"OS-WINDOWS Microsoft Windows TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|",within 497; content:"|0A|",within 497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia client backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia client backup generic info probe"; flow:to_server,established; content:"ARKFS|00|root|00|root",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3454; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 ( msg:"SERVER-OTHER Bontago Game Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; metadata:ruleset community; reference:bugtraq,12603; reference:cve,2005-0501; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:7; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 ( msg:"SERVER-MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|",depth 1,offset 3; content:"root|00|",within 5,distance 5,nocase; metadata:ruleset community; service:mysql; classtype:protocol-command-decode; sid:3456; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia backup client type 77 overflow attempt"; flow:to_server,established; content:"|00|M",depth 2; byte_test:2,>,23,6; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; reference:nessus,17158; classtype:attempted-user; sid:3457; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 ( msg:"SERVER-OTHER Arkeia backup client type 84 overflow attempt"; flow:to_server,established; content:"|00|T",depth 2; byte_test:2,>,255,6; isdataat:263; content:!"|00|",depth 255,offset 8; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:9; )
alert udp $HOME_NET any -> $EXTERNAL_NET 41170 ( msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|",depth 4,offset 16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP REST with numeric argument"; flow:to_server,established; content:"REST",fast_pattern,nocase; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community; service:ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type",nocase; content:"|3A|",distance 0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/im"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,44732; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-IE Microsoft Internet Explorer Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding",nocase; content:"|3A|",distance 0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]{300}/im"; metadata:ruleset community; service:smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3462; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP awstats access"; flow:to_server,established; http_uri; content:"/awstats.pl",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-activity; sid:3463; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP awstats.pl command execution attempt"; flow:to_server,established; http_uri; content:"/awstats.pl?",fast_pattern,nocase; content:"update="; pcre:"/update=[^\r\n\x26]+/i"; content:"logfile=",nocase; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/i"; metadata:ruleset community; service:http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-attack; sid:3464; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt"; flow:to_client,established; file_data; content:"{|5C|rt",nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}",distance 0,nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2006-4692; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:17; )
alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE",fast_pattern,nocase; sip_method:invite; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; http_uri; content:".rtf",fast_pattern,nocase; pcre:"/\x2ertf([\?\x5c\x2f]|$)/ims"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:26; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; http_uri; content:".pdf",fast_pattern,nocase; pcre:"/\x2epdf([\?\x5c\x2f]|$)/ims"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:23; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; http_uri; content:".doc",fast_pattern,nocase; pcre:"/\x2edoc([\?\x5c\x2f]|$)/ims"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:25; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY BMP file download request"; flow:to_server,established; http_uri; content:".bmp",fast_pattern,nocase; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/ims"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:16205; rev:23; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Hydraq variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|",depth 20; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/#/file/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c/detection; classtype:trojan-activity; sid:16368; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpg",fast_pattern,nocase; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:20; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpeg",fast_pattern,nocase; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:20; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; http_uri; content:".exe",fast_pattern,nocase; pcre:"/\x2eexe([\?\x5c\x2f]|$)/ims"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:24; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:16474; rev:27; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|",within 4,distance 16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:16475; rev:18; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".pjpeg",fast_pattern,nocase; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:20; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:17314; rev:27; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; http_uri; content:".png",fast_pattern,nocase; pcre:"/\x2epng([\?\x5c\x2f]|$)/ims"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:17380; rev:23; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; http_uri; content:".xml",fast_pattern,nocase; pcre:"/\x2exml([\?\x5c\x2f]|$)/ims"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:17733; rev:18; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 ( msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|",depth 9,offset 4; content:"|00 00|",within 2,distance 13; content:"|00|",within 1,distance 18; content:"|00 00|",within 2,distance 6; content:"|01 00|",within 2,distance 10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 ( msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:to_server,established; content:"|00|",offset 1; content:"|FF|SMB2",depth 5,offset 4; content:"|00 00 00 00|",within 4; content:"|10 00|",depth 2,offset 65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; http_uri; content:".zip",fast_pattern,nocase; pcre:"/\x2ezip([\?\x5c\x2f]|$)/ims"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:19211; rev:23; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 ( msg:"MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established; content:"|00 00 00 01 00 00 00|",depth 7,offset 1; content:"|01 00 00 00 68 01 00 00|",within 8,distance 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b0/analysis/; reference:url,www.virustotal.com/en/file/705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe/analysis/; classtype:trojan-activity; sid:20080; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Opera|5C|9.64|0A|",fast_pattern,nocase; http_uri; content:"bb.php?v="; content:"id=",distance 0; content:"b=",distance 0; content:"tm=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2/analysis/; classtype:trojan-activity; sid:20221; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; http_uri; content:".smi",fast_pattern,nocase; pcre:"/\x2esmi([\?\x5c\x2f]|$)/ims"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20223; rev:24; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request"; flow:to_server,established; content:"_helper.jar",fast_pattern,nocase; http_uri; pcre:"/agent_(win|lin|mac)_helper\.jar$/is"; flowbits:set,file.jar.agent_helper; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:misc-activity; sid:20260; rev:19; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20463; rev:26; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20464; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20465; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20466; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20467; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20468; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20469; rev:25; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20478; rev:22; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|",depth 3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20480; rev:21; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20483; rev:22; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt",fast_pattern,nocase; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20486; rev:23; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:20494; rev:19; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; http_uri; content:".jar",fast_pattern,nocase; pcre:"/\x2ejar([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:20621; rev:18; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_client,established; content:".emf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:20850; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_server,established; content:".emf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:20851; rev:18; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY DIB file download request"; flow:to_server,established; http_uri; content:".dib",fast_pattern,nocase; pcre:"/\x2edib([\?\x5c\x2f]|$)/ims"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:20963; rev:16; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; http_uri; content:".sami",fast_pattern,nocase; pcre:"/\x2esami([\?\x5c\x2f]|$)/ims"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jpe",fast_pattern,nocase; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:14; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jif",fast_pattern,nocase; pcre:"/\x2ejif([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:14; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; http_uri; content:".jfi",fast_pattern,nocase; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/ims"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:14; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21035; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21036; rev:18; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Betad variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/login.php",nocase; http_client_body; content:"|C9 97 A2 F3 7E 37 CB 7E 27|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e9/analysis/; classtype:trojan-activity; sid:21230; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string DataCha0s"; flow:to_server,established; http_header; content:"User-Agent|3A 20|DataCha0s",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.internetofficer.com/web-robot/datacha0s/; classtype:network-scan; sid:21246; rev:6; )
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:to_client,established; content:"220|20|",depth 4; content:"0wns j0",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:6; )
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:to_client,established; content:"221 Goodbye happy r00ting",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC URI - known scanner tool muieblackcat"; flow:to_server,established; http_uri; content:"/muieblackcat",nocase; pcre:"/\/muieblackcat$/i"; metadata:ruleset community; service:http; reference:url,serverfault.com/questions/309309/what-is-muieblackcat; classtype:network-scan; sid:21257; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string Morfeus Scanner"; flow:to_server,established; http_header; content:"User|2D|Agent|3A 20|Morfeus|20|Fucking|20|Scanner",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:network-scan; sid:21266; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; http_uri; content:"/anony/",fast_pattern,nocase; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/i"; metadata:ruleset community; service:http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; http_uri; content:".xsl",fast_pattern,nocase; pcre:"/\x2exsl([\?\x5c\x2f]|$)/ims"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21282; rev:12; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21283; rev:13; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21284; rev:14; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; http_uri; content:".xslt",fast_pattern,nocase; pcre:"/\x2exslt([\?\x5c\x2f]|$)/ims"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21285; rev:12; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21286; rev:13; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21287; rev:14; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; http_header; content:"Content-Type|3A|",nocase; content:"text/xml",within 20,fast_pattern,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:21288; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent ASafaWeb Scan"; flow:to_server,established; http_header; content:"User-Agent|3A| asafaweb.com",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde"; flow:to_server,established; http_uri; content:"/services/javascript.php",fast_pattern,nocase; http_cookie; content:"href="; http_client_body; content:"file=open_calendar.js"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2012-0209; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; http_uri; content:".paq8o",fast_pattern,nocase; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/ims"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:21410; rev:15; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21411; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21412; rev:17; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; classtype:trojan-activity; sid:21417; rev:10; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code=",nocase; content:"|20|archive=",distance 0,nocase; content:"display|3A|none|3B|",distance 0,nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/ims"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"GET http|3A 2F 2F|",depth 11; base64_decode:relative; base64_data; content:"clk="; content:"&bid=",distance 0; content:"&aid=",within 5,distance 40; content:"&sid=",distance 0; content:"&rd=",distance 0; content:"&x86=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)",fast_pattern,nocase; content:"HOST|3A|"; content:!"X-BlueCoat-Via",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS; reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:21444; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string core-project"; flow:to_server,established; http_header; content:"User-Agent|3A 20|core-project",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:misc-activity; sid:21475; rev:5; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:21480; rev:16; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:21498; rev:16; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21499; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21500; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_client_body; content:"smk=",depth 4; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:6; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21613; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21614; rev:17; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21695; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21696; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21697; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21698; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; http_uri; content:".ani",fast_pattern,nocase; pcre:"/\x2eani([\?\x5c\x2f]|$)/ims"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; classtype:misc-activity; sid:21724; rev:12; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21725; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21726; rev:13; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF",depth 4; content:"ACON",within 4,distance 4; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:21727; rev:12; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21728; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21729; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21730; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21731; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21732; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21733; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21734; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21735; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21736; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21737; rev:13; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21738; rev:13; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21739; rev:14; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21746; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21747; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%"; flow:to_server,established; http_uri; content:"%ALLUSERSPROFILE%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21818; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established; http_uri; content:"%PROGRAMDATA%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21819; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %APPDATA%"; flow:to_server,established; http_uri; content:"%APPDATA%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21820; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES%"; flow:to_server,established; http_uri; content:"%COMMONPROGRAMFILES%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21821; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86%"; flow:to_server,established; http_uri; content:"%COMMONPROGRAMFILES|40|x86|41|%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21822; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC%"; flow:to_server,established; http_uri; content:"%COMSPEC%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21823; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established; http_uri; content:"%HOMEDRIVE%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21824; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established; http_uri; content:"%HOMEPATH%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21825; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established; http_uri; content:"%LOCALAPPDATA%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21826; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established; http_uri; content:"%PROGRAMFILES%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21827; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86%"; flow:to_server,established; http_uri; content:"%PROGRAMFILES|40|X86|41|%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21828; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive%"; flow:to_server,established; http_uri; content:"%SystemDrive%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21829; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot%"; flow:to_server,established; http_uri; content:"%SystemRoot%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21830; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %TEMP%"; flow:to_server,established; http_uri; content:"%TEMP%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21831; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %TMP%"; flow:to_server,established; http_uri; content:"%TMP%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21832; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERDATA%"; flow:to_server,established; http_uri; content:"%USERDATA%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21833; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERNAME%"; flow:to_server,established; http_uri; content:"%USERNAME%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21834; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established; http_uri; content:"%USERPROFILE%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21835; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %WINDIR%"; flow:to_server,established; http_uri; content:"%WINDIR%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21836; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC%"; flow:to_server,established; http_uri; content:"%PUBLIC%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21837; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath%"; flow:to_server,established; http_uri; content:"%PSModulePath%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21838; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established; http_uri; content:"%COMPUTERNAME%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21839; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%"; flow:to_server,established; http_uri; content:"%LOGONSERVER%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21840; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %PATH%"; flow:to_server,established; http_uri; content:"%PATH%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21841; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %PATHEXT%"; flow:to_server,established; http_uri; content:"%PATHEXT%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21842; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %PROMPT%"; flow:to_server,established; http_uri; content:"%PROMPT%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21843; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%"; flow:to_server,established; http_uri; content:"%USERDOMAIN%",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:21844; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000=",fast_pattern; http_cookie; content:"SL_"; content:"_0000=",within 8; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC TDS Sutra - request in.cgi"; flow:to_server,established; http_uri; content:"/in.cgi?"; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21846; rev:9; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id=",within 3,nocase; content:!"&",within 6; content:!"=",within 6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/ims"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:15; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; http_header; content:"/in.cgi"; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/ims"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; http_uri; content:"/hi.cgi"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; http_stat_code; content:"302"; pkt_data; content:"=_"; content:"_|5C 3B| domain=",within 11,distance 1; http_cookie; pcre:"/^[a-z]{5}\d=_\d_/"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:7; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21856; rev:13; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21857; rev:14; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:21908; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:21909; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_client,established; file_data; content:"|01 00 00 00|",depth 4; content:"|20|EMF",within 4,distance 36,fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:21940; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY XM file download request"; flow:to_server,established; http_uri; content:".xm",fast_pattern,nocase; pcre:"/\x2exm([\?\x5c\x2f]|$)/ims"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; classtype:misc-activity; sid:22043; rev:8; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_client,established; content:".xm",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:22044; rev:9; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_server,established; content:".xm",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:22045; rev:10; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XM file magic detected"; flow:to_client,established; file_data; content:"Extended Module:",fast_pattern,nocase; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:22046; rev:9; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>",fast_pattern,nocase; metadata:policy balanced-ips alert,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1102; classtype:trojan-activity; sid:22061; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; http_uri; content:"auto_prepend_file"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt"; flow:to_server,established; content:"MKD ",depth 4; isdataat:75,relative; content:!"|0A|",within 75; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,23885; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2007-2586; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.exploit-db.com/exploits/14399/; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:23055; rev:10; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:23179; rev:5; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:to_client,established; file_data; content:"setTimeout|28|",nocase; content:"|5C|x",within 10,nocase; content:"|5C|x",within 10,nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:6; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:to_client,established; file_data; content:"addEventListener|28|",nocase; content:"|5C|x",within 10,nocase; content:"|5C|x",within 10,nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:6; )
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|",depth 2,offset 6; metadata:ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:6; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:9; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|",depth 4; content:!"|14 00 06 00|",within 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23651; rev:15; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|",depth 8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23652; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23653; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23654; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23655; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23656; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|",depth 4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23657; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|",depth 8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23664; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23667; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt",fast_pattern,nocase; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23670; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-",nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23678; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|",within 4,distance 16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23707; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|",within 4,distance 16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23708; rev:7; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|",depth 8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23711; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23725; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23758; rev:10; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml",depth 50,nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23759; rev:10; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|",depth 4; content:"|20|EMF",within 4,distance 36,fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23766; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:",fast_pattern,nocase; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:23773; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|",fast_pattern,nocase; content:".asp?"; content:"mac=",within 4; content:"&ver=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; http_uri; content:"/rebots.php",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; http_uri; content:"a=YWZmaWQ9MDUyODg",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; http_uri; content:"/data.php?action=",nocase; content:"&m=",distance 0,nocase; content:"&p=",distance 0,nocase; content:"&n=",distance 0,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/Rs"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:24253; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/Rs"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:24254; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 84 ( msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src,count 1,seconds 120; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|",depth 9,offset 4; content:"|00 00|",within 2,distance 13; content:"|FF|",within 1,distance 9; content:"NTLMSSP|00 03 00 00 00|",within 100; content:"|00 00 00 00 48 00 00 00|",within 8,distance 24,fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:9; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:24455; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:24456; rev:12; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:24457; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:24458; rev:11; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server,established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/ims"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"|2F|Config|2E|txt",fast_pattern,nocase; http_header; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; http_uri; content:".php?ip="; content:"&os=",distance 0; content:"&name=",distance 0; content:"&id=",distance 0; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] ( msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|",depth 9,offset 4; byte_test:1,!&,0x80,0,relative; content:"|01 00|",within 2,distance 52; byte_jump:2,-10,relative,from_beginning,little,post_offset 10; content:"|04 01|",within 2; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11<=>20; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept|2D|Language|3A|"; content:!"|0D 0A|Referer|3A|"; content:!"|0D 0A|Cookie|3A|"; http_client_body; content:!"Content-Disposition"; pkt_data; content:"Content-Length: ",nocase; byte_test:8,<,369,0,relative,string; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25050; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; http_raw_uri; bufferlen:95; pkt_data; content:" HTTP/1.0|0D 0A|Host:",fast_pattern,nocase; http_uri; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25054; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NewBrandTest|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; http_raw_uri; bufferlen:52; http_header; content:"/s/?k=",fast_pattern,nocase; http_uri; pcre:"/^\x2f[a-z0-9]{51}$/i"; http_header; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/i"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:25224; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:12; http_uri; content:"/a/image.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:25256; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bin/check.php?cv="; http_header; content:"ThIs_Is_tHe_bouNdaRY_$",fast_pattern; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; http_uri; content:"/file.aspx?file=",fast_pattern,nocase; http_header; content:"ksp/WS"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; http_uri; content:".gif"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; http_header; content:"From|3A|"; content:"Via|3A|"; http_raw_uri; bufferlen:13; http_uri; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; http_uri; content:"/default.aspx?ver="; content:"&uid=",distance 0; http_header; content:"|3B 20|MRA|20|5.10|20|"; http_uri; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:25271; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; http_uri; content:".php?php=receipt",fast_pattern,nocase; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; http_header; content:"Acunetix-",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25358; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; http_uri; content:"/acunetix-wvs-test-for-some-inexistent-file",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25359; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; http_uri; content:"password=g00dPa$$w0rD",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25360; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; http_uri; content:"src=/testasp.vulnweb.com/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25361; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; http_uri; content:"PHNjcmlwdD",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25362; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; http_uri; content:"http:/www.acunetix.com",fast_pattern,nocase; http_header; content:"Acunetix-",nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25363; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; http_uri; content:"<ScRiPt>prompt(",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25364; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; http_uri; content:">=|5C|xa2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.acunetix.com; classtype:web-application-attack; gid:1; sid:25365; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:39; http_uri; content:"/?ptrxcz_",fast_pattern,nocase; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/i"; metadata:ruleset community; service:http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:16; http_uri; content:"/cgi-bin/sba.cgi",fast_pattern,nocase; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/cgi-bin/op.cgi",fast_pattern,nocase; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|",depth 9,offset 8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:4; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/octet-stream",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/ims"; file_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:25513; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; http_header; content:"application/x-msdos-program",fast_pattern,nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/ims"; file_data; content:"MZ",within 2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:25514; rev:12; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:25515; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"iPod",distance 0,fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*iPod/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25518; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"iPad",distance 0,fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*iPad/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25519; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"iPhone",distance 0,fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25520; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Android User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"android",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*android/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25521; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Nokia User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"nokia",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*nokia/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25522; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Samsung User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"Samsung",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*samsung/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25523; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-MOBILE Kindle User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"kindle",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*kindle/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25524; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"OS-OTHER Nintendo User-Agent detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"nintendo",distance 0,fast_pattern,nocase; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:policy-violation; sid:25525; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/admin/host.php",fast_pattern,nocase; http_client_body; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/"; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|",fast_pattern,nocase; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingInfo.zip|0D 0A|",fast_pattern,nocase; file_data; content:"BookingInfo.exe"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=BookingDetails.zip|0D 0A|",fast_pattern,nocase; file_data; content:"BookingDetails.exe"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:4; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH ",depth 9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|",within 180; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound connection"; flow:to_server,established; isdataat:!5; content:"|9A 02 00 00|",depth 4,fast_pattern; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; http_header; content:"Accept-Language: en-us|3B 0D 0A|"; http_client_body; content:"wok5VLG.6",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; http_uri; content:"/js/disable.js?type=",fast_pattern,nocase; http_header; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; metadata:ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 ( msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; isdataat:266; isdataat:!276; http_header; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|",fast_pattern,nocase; http_raw_uri; bufferlen:159; http_uri; pcre:"/\x2f[A-F0-9]{158}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Agent YEH variant outbound connection"; flow:to_server,established; http_header; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|",fast_pattern,nocase; http_uri; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/cmd.php?cmd="; content:"arq=",distance 0; content:"cmd2=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:95<=>102; http_header; content:"|29 20|Chrome|2F|"; content:!"|0A|Accept-Encoding|3A 20|"; http_uri; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:18; http_uri; content:"/listas/out/si.php",fast_pattern,nocase; pkt_data; content:"HTTP/1.0|0D 0A|",depth 10,offset 24; metadata:ruleset community; service:http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; http_raw_uri; bufferlen:1; http_uri; content:"|2F|"; http_header; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/i"; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; content:"|3B 20|MSIE|20|7.0|3B 20|"; content:"|2E|info|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; http_method; content:"POST"; http_header; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.ammyy.com; classtype:policy-violation; gid:1; sid:25947; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:25948; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php"; http_header; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|userfile|22 3B| filename=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b9cf069222f529e50a4d5f/; reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5eb8113b4a4d99e0a0eb893/; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; http_uri; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7; http_uri; content:"/in.php"; http_header; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|",fast_pattern,nocase; content:"|0A|Content-Length|3A 20|"; metadata:ruleset community; service:http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20; http_uri; content:"/b/n/winrar/tudo.rar",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:3; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:26057; rev:13; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|",depth 8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:26058; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; http_client_body; content:"a=select CAMPO from PAGINA where CODIGO = ",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_uri; content:".php"; http_header; content:"|3B 20|MSIE|20|"; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|",distance 0; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/"; http_client_body; pcre:"/\x3d?\x3d\r\n$/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26106; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; http_client_body; content:"cstype=",depth 7; content:"&authname=",within 48,distance 1; content:"&authpass=",within 48,distance 1; content:"&hostname=",within 48,distance 1; content:"&ostype=",within 256,distance 1; content:"&macaddr=",within 64,distance 16; content:"&owner=",within 48,distance 17; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/pid/pid.txt",fast_pattern,nocase; http_header; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?",depth 6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|",distance 0; http_header; content:"0b8pre|0D 0A|",fast_pattern,nocase; content:!"|0A|Referer"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26212; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:26251; rev:12; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; http_header; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|",fast_pattern,nocase; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:21; http_uri; content:"/pics/_vti_cnf/00.inf",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/",depth 10,nocase; content:"${IFS}",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; http_uri; content:"/apply.cgi",fast_pattern,nocase; http_client_body; content:"submit_button"; content:"%0",distance 0; pcre:"/(^|&)submit_button=[^&]+%0[^&]/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-admin; sid:26276; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; http_uri; content:"/apply.cgi",fast_pattern,nocase; http_raw_uri; content:"submit_button"; content:"%0",distance 0; pkt_data; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-admin; sid:26277; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; http_uri; content:"/apply.cgi",fast_pattern,nocase; http_header; content:!"Authorization:",nocase; http_client_body; content:"action=Apply",nocase; content:"PasswdModify=1",nocase; content:"http_passwd=",nocase; content:"http_passwdConfirm=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; http_uri; content:"/apply.cgi",fast_pattern,nocase; http_header; content:!"Authorization:",nocase; http_uri; content:"action=Apply",nocase; content:"PasswdModify=1",nocase; content:"http_passwd=",nocase; content:"http_passwdConfirm=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; http_header; content:"Host|3A| search.dnssearch.org|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:26286; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; http_header; content:"Host|3A| search.namequery.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:26287; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST",depth 4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; http_header; content:"User-Agent|3A 20|C:|5C|",fast_pattern,nocase; http_uri; pcre:"/\.exe$/i"; http_header; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/im"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; http_uri; content:".php?mac=",fast_pattern,nocase; http_header; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_uri; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; http_header; content:"|3B 20|sv|3A|"; content:"|3B 20|id|3A|",within 5,distance 1; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/m"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26327; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/nosignal.jpg?",fast_pattern,nocase; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26335; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; http_header; content:"Host|3A 20|checkip.dyndns.org",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:misc-activity; sid:26353; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/ksa.txt",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; http_client_body; content:"op=",depth 3; content:"&nmpc=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|",depth 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; classtype:trojan-activity; sid:26380; rev:4; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|",depth 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,imap,pop3; classtype:trojan-activity; sid:26381; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|",depth 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26382; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; http_header; content:"User-Agent|3A| Ufasoft",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; gid:1; sid:26395; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; http_method; content:"POST"; pkt_data; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|",fast_pattern,nocase; http_client_body; content:"+",depth 15; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; http_uri; content:"/app/geoip.js"; http_header; content:"Host|3A 20|j.maxmind.com",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:misc-activity; sid:26410; rev:5; )
alert tcp any any -> $HOME_NET 445 ( msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; classtype:trojan-activity; sid:26411; rev:3; )
alert tcp any any -> $HOME_NET 445 ( msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|",fast_pattern,nocase; content:".exe"; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; classtype:trojan-activity; sid:26412; rev:3; )
alert tcp any any -> $HOME_NET 445 ( msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|",within 1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; classtype:trojan-activity; sid:26413; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Magic variant inbound connection"; flow:to_client,established; file_data; content:"some_magic_code1",depth 36; metadata:ruleset community; service:http; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:26467; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Location",fast_pattern,nocase; content:"blobheadervalue2=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26468; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Refresh",fast_pattern,nocase; content:"blobheadervalue2=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26469; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|",fast_pattern,nocase; http_header; content:"-2013.zip|0D 0A|"; content:"-",within 1,distance -14; file_data; content:"-2013.exe"; content:"-",within 1,distance -14; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; http_header; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/\.png$/i"; http_header; content:!"User-Agent:",nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26480; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; http_uri; content:"/thinner/thumb?img=",fast_pattern,nocase; http_client_body; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| <SCRIPT>",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:4; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ",depth 2; content:"|2F 2A 14 20|",distance 0; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; http_header; content:"0aW1lP",fast_pattern; content:"/index.php?",distance -50; base64_decode:bytes 150,offset 10,relative; base64_data; content:"time="; content:"&src=",distance 0; content:"&surl=",distance 0; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established; http_header; content:"Referer: HTTP/1.0|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26533; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; http_uri; content:"/elections.php?",fast_pattern,nocase; http_header; content:" Java/1."; http_uri; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/builds/",nocase; content:"fflists.txt",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:misc-activity; sid:26553; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; http_header; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data"; flow:to_server,established; http_client_body; content:"tipo=getcomando&",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_client_body; content:"&sk1=",fast_pattern,nocase; content:"bn1=",depth 4; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26561; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; http_header; content:".com-"; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/i"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26562; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; http_raw_uri; bufferlen:10; http_header; content:"sousi.extasix.com|0D 0A|",fast_pattern,nocase; http_uri; content:"/genst.htm"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; http_uri; content:"/wp-content",fast_pattern,nocase; pcre:"/(exe|dll|scr|rar|ps1|bat)$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26576; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent Opera 10"; flow:to_server,established; http_header; content:"Opera/10|20|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/images/m.php?id=",fast_pattern,nocase; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; http_uri; content:"/ccbill/m.php?id=",fast_pattern,nocase; http_header; content:"|3B 20|MSIE 6.0|3B 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php",within 100; content:"</iframe>",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Medfos Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/feed?req=http",fast_pattern,nocase; http_header; content:"|3B| MSIE "; content:!"|0D 0A|Accept-Language:"; content:!"|0D 0A|Referer:"; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/ims"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd",depth 6; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; http_uri; content:"hostid="; content:"|26|hostname="; content:"|26|hostip="; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"/login.php",depth 10; http_header; content:"Referer|3A| http://www.google.com"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|",fast_pattern,nocase; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; http_header; content:!"googleusercontent"; content:!"google.com"; http_uri; content:"|2F|crx|2F|blobs"; http_header; content:!"gvt1.com"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; http_header; content:!"mozilla"; http_uri; content:".xpi",nocase; pcre:"/\.xpi$/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; http_header; content:"|3B| filename="; content:"Delivery_Information_ID-",fast_pattern,nocase; file_data; content:"Delivery_Information_ID-"; content:".exe",within 50; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:26660; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Namihno variant outbound request"; flow:to_server,established; http_uri; content:"/windows/update/search?hl="; content:"&q=",distance 0; content:"&meta=",distance 0; content:"&id=",distance 0; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26695; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary=",depth 70; http_header; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - POST Body"; flow:to_server,established; http_uri; content:"index.php"; http_client_body; content:"|3B| name=|22|data|22 3B| filename=|22|",fast_pattern,nocase; content:"--",depth 2; pcre:"/filename=\x22\d+\x22\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->",distance 0; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; http_header; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|",fast_pattern,nocase; http_uri; content:"/count.php?page=",depth 16; metadata:impact_flag red,ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/"; metadata:ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|reg="; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/"; http_header; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; http_uri; content:"gate.php|3F|id="; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/"; metadata:ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_alive.php?id=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; http_uri; content:"s_task.php?id=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|",fast_pattern,nocase; http_uri; content:"/imagens/",depth 9; content:".jpg",distance 0; pkt_data; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26722; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|",fast_pattern,nocase; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|",depth 5; pcre:"/^http\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|",depth 5; pcre:"/^stop\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|",depth 4; pcre:"/^die\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|",depth 6; pcre:"/^sleep\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|",depth 7; pcre:"/^simple\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|",depth 10; pcre:"/^loginpost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|",depth 9; pcre:"/^datapost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|",depth 4; pcre:"/^syn\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|",depth 4; pcre:"/^udp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|",depth 8; pcre:"/^udpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|",depth 5; pcre:"/^data\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|",depth 5; pcre:"/^icmp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|",depth 8; pcre:"/^tcpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|",depth 8; pcre:"/^dataget\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|",depth 8; pcre:"/^connect\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|",depth 4; pcre:"/^dns\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|",depth 5; isdataat:!200; pcre:"/^exec\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|",depth 8; pcre:"/^resolve\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|",depth 9; pcre:"/^antiddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|",depth 6; pcre:"/^range\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|",depth 4; pcre:"/^ftp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|",depth 9; pcre:"/^download\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|",depth 9; pcre:"/^fastddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|",depth 9; pcre:"/^slowhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|",depth 8; pcre:"/^allhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|",depth 5; pcre:"/^full\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red,ruleset community; service:http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; http_uri; content:"/loader.cpl",fast_pattern,nocase; pcre:"/\/loader\.cpl$/"; http_header; content:"|3B 20|MSIE|20|"; content:!"|0D 0A|Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/index.html"; pkt_data; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",fast_pattern,nocase; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"cmd=gravar&dados=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established; http_uri; content:"/cos3q/in",fast_pattern,nocase; http_client_body; content:".exe",nocase; pcre:"/\x5f\w{24}\.exe/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/content/img/awards.jpg",fast_pattern,nocase; http_header; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/"; metadata:ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; http_raw_uri; bufferlen:11; http_header; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/^\x2F\d{10}$/"; metadata:ruleset community; service:http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; http_uri; bufferlen:17; content:"/linkendorse.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26814; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; http_raw_uri; bufferlen:<75; http_uri; content:"/in.php"; content:"&q=",distance 0; content:"==",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"op=IncluirAvisos&",fast_pattern,nocase; content:"HostBD=",depth 7,offset 17; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; http_raw_uri; bufferlen:30; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)",fast_pattern,nocase; content:"Host: www.google.com"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C 5C 5C|>IDLE<|5C 5C 5C|>",depth 18; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26837; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; http_uri; content:"/natpay.html?",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26838; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; http_client_body; content:"macName=",depth 60; content:"&macOS=",within 100; content:"&macMac=",within 200; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26842; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Content-Length: 128|0D 0A|",fast_pattern,nocase; pkt_data; content:" HTTP/1."; content:"|0D 0A|User-Agent: ",within 14,distance 1; http_header; content:!"|0D 0A|Accept"; http_client_body; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26910; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/info.php?act=",fast_pattern,nocase; pcre:"/^\/info\.php\?act\x3d(list|online)/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"<|7C|>",fast_pattern,nocase; content:"data=",depth 5; content:"<|7C|>",within 3,distance 31; content:"<|7C|>",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_uri; content:"/images/"; content:".php?id=",distance 1; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/i"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:26923; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; http_raw_uri; bufferlen:255<=>260; pkt_data; content:"= HTTP/1.",fast_pattern,nocase; http_uri; content:".php?"; http_header; content:!"Accept"; http_raw_uri; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:26924; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; http_uri; content:"convert|28|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=atom.jar",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; http_header; content:"filename=site.jar",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0",within 1,distance 1; content:" height=",within 8,distance 1; content:"0",within 1,distance 1; content:" code=",within 6,distance 1; content:"site.avi",within 8,distance 1,nocase; content:" archive=",within 9,distance 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; http_uri; content:"/.cache/?f=",fast_pattern; content:".jar"; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; http_uri; content:"/forum/search.php?email="; content:"&method=",distance 0; http_header; content:!"Referer"; content:!"Accept-"; metadata:ruleset community; service:http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; isdataat:141; isdataat:!142; http_raw_uri; bufferlen:8; http_uri; content:"/u5.htm",fast_pattern,nocase; http_raw_uri; content:"//u5.htm"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"data.php"; http_client_body; content:"|0D 0A|URL: ",fast_pattern,nocase; content:"Content-Disposition: form-data|3B| name="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; http_method; content:"POST"; http_uri; content:".php?version="; content:"&user=",distance 0; content:"&server=",distance 0; content:"&name=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2=",fast_pattern,nocase; http_cookie; content:"cache=cc2="; http_header; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; http_uri; content:"/xgi-bin/",depth 9; content:".php?",within 5,distance 1; http_header; content:"|3B| MSIE "; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; http_uri; content:"rawin.php?b="; content:"&v=1.",distance 0; pcre:"/\.php\?b=[A-F0-9]+&v=1\./"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:26985; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; http_header; content:"Content-Length: 150|0D 0A|",fast_pattern,nocase; file_data; content:"|0D 0A|",depth 2,offset 4; content:"|0D 0A|",within 2,distance 4; content:"|0D 0A|",within 2,distance 4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; http_uri; content:"/get.asp?mac="; content:"&os=",within 36; metadata:ruleset community; service:http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; http_uri; content:"/jorg.html",fast_pattern,nocase; pcre:"/\/jorg\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; http_uri; content:"/jlnp.html",fast_pattern,nocase; pcre:"/\/jlnp\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; http_uri; content:"/jovf.html",fast_pattern,nocase; pcre:"/\/jovf\.html$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; http_header; content:"User-Agent: pb|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; http_header; content:"filename="; content:"security_cleaner.exe",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:bad-unknown; sid:27047; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class",distance 0; content:"|00|inc.class",distance 0; content:"|00|fdp.class",distance 0,fast_pattern; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27085; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var ",fast_pattern; content:"document.createElement(",within 80; content:".setAttribute(|22|archive|22|, ",within 65; content:".setAttribute(|22|codebase|22|, ",within 65; content:".setAttribute(|22|id|22|, ",within 65; content:".setAttribute(|22|code|22|, ",within 65; content:"|22|)|3B 0A|document.body.appendChild(",within 65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27086; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; http_uri; content:"php?sf="; content:"&Ze=",distance 0; content:"&m=",distance 0; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:trojan-activity; sid:27110; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; http_uri; content:"/?f=a"; content:"&k=",distance 0; pcre:"/\&k=\d+($|\&h=)/"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; http_uri; content:".php?"; http_header; content:"content-type: application/"; content:" Java/1"; http_uri; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/i"; metadata:policy balanced-ips alert,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; http_uri; content:"/?",depth 2; content:"h=NT",fast_pattern,nocase; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; http_header; content:"|3B 20|MSIE 28|3B 20|",fast_pattern,nocase; content:"User-Agent"; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; http_client_body; content:"ps0=",depth 4; content:"ps1=",distance 0; content:"cs1=",distance 0; content:"cs2=",distance 0; content:"cs3=",distance 0; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27201; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; http_header; content:"User-Agent|3A| SEX|2F|1",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|",fast_pattern,nocase; content:".com.br",nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27204; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:111; pkt_data; content:"==",depth 2,offset 103; content:" HTTP/1.0|0D 0A|Host:",within 16,distance 10; http_uri; pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/i"; http_header; content:!"Accept:"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27252; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established; http_raw_uri; bufferlen:<34; http_method; content:"POST"; http_header; content:"U|3B| MSIE "; content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache",fast_pattern,nocase; content:!"Accept-Language:"; http_uri; pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10})?/"; http_client_body; pcre:"/[^ -~\x0d\x0a]{4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Yakes Trojan HTTP Header Structure"; flow:to_server,established; http_method; content:"POST"; pkt_data; content:".php HTTP/1.1|0D 0A|Cache-Control: ",fast_pattern,nocase; content:".php HTTP/1.1",nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|",within 113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; http_client_body; pcre:"/[\x2f\x2b\x3d]/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; http_method; content:"GET"; pkt_data; content:".exe HTTP/1.1|0D 0A|Cache-Control: ",fast_pattern,nocase; content:".exe HTTP/1.1",nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: ",within 76; content:"|3A 20|",distance 0; content:!"|3A 20|",distance 0; http_uri; pcre:"/\x2f\d+\.exe$/i"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established; http_method; content:"GET"; http_uri; content:".php?id=",offset 6,fast_pattern; http_header; content:" HTTP/1.",within 11,distance 1; content:"|0D 0A|User-Agent: Mozilla/",within 22,distance 1; pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language"; flow:to_server,established; http_raw_uri; bufferlen:7; http_method; content:"GET"; http_header; content:"Firefox/3.",fast_pattern,nocase; http_uri; pcre:"/^\/[A-Z]{6}$/"; http_header; content:!"Accept-Language:"; content:!"Referer:"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/000.jpg",fast_pattern,nocase; pkt_data; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:4; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:to_client,established; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd",within 14,distance 1; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>",fast_pattern,nocase; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; http_uri; content:"/ld.aspx",nocase; http_header; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Redyms variant outbound connection"; flow:to_server,established; http_uri; content:"&intip=",fast_pattern,nocase; content:"?id="; content:"&port=",distance 0; content:"&bid=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Fort Disco Registration variant outbound connection"; flow:to_server,established; http_uri; content:"/cmd.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.net-security.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; http_uri; content:"/tomcat-docs/index.jsp?/"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.01|3B| Windows NT 5.0|29|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27629; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/bbs/search.asp"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27630; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/buy-sell/search.asp?newsid="; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27631; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Worm.Silly variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7; http_uri; content:"/ul.htm",fast_pattern,nocase; http_header; content:"|3B| MSIE 6.0|3B 20|"; content:!"Accept-Language: "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27633; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyBanker.ZSL variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"valor=",depth 6; content:"]branco[",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a42634a793e27c9533d335b1/analysis/1375811416/; classtype:trojan-activity; sid:27648; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Brazilian Banking Trojan data theft"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"remetente=",depth 10; content:"&destinatario=",distance 0; content:"&assunto=",distance 0; content:"&mensagem=",distance 0; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27649; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>95; pkt_data; content:".php HTTP/1.1|0D 0A|User-Agent: Opera/",fast_pattern,nocase; http_uri; pcre:"/(?=^[a-z\x2d\x5f\x2f]{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d?\.php$/"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27680; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection"; flow:to_server,established; http_uri; bufferlen:>145; content:".html"; pkt_data; content:"|0D 0A|User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0",fast_pattern,nocase; http_header; content:!"Cookie:"; content:!"X-BlueCoat-Via:"; content:!"Referer"; http_uri; pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:27708; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; http_uri; content:"/update/ido.ipl",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27726; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; http_uri; content:"/update/myinfo.php",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27727; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; http_uri; content:"/update/param.php?",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27728; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|",fast_pattern,nocase; content:"_.log|22 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; classtype:trojan-activity; sid:27774; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_uri; content:".htm"; http_header; content:!"Accept"; content:"|0A|Content-Length: 164|0D 0A|User-Agent: ",fast_pattern,nocase; content:"host|3A|",nocase; content:"|2E|",within 5; content:"|2E|",within 4; content:"|2E|",within 4; http_client_body; content:"|6C 55 55 45|",depth 4,offset 4; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:27775; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; http_uri; content:"/page/index_htm_files2/",nocase; content:".png",within 4,distance 3; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27802; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; http_uri; content:"/form.php",depth 9; http_client_body; content:"RcpTfdsvoD9KB9O",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27803; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; http_uri; content:"/page/index.php",nocase; http_cookie; content:"foo="; http_client_body; content:"data=RcpTfdssoD9KB9O",depth 20,fast_pattern; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27804; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Bisonha variant outbound connection"; flow:to_server,established; content:"GET /3001",fast_pattern; isdataat:260,relative; content:"0000000000000000000000000"; pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red,ruleset community; service:ssl; reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20Summit-Espionage-Operation; reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity; sid:27805; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; http_raw_uri; bufferlen:>32; http_uri; content:".php",fast_pattern,nocase; http_method; content:"GET"; http_uri; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/"; http_header; content:!"PacketShaper"; content:!"siteadvisor.com"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>",fast_pattern,nocase; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27866; rev:2; )
alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:4; )
alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any ( msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:4; )
alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any ( msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:4; )
alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:3; )
alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any ( msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:3; )
alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any ( msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0",fast_pattern,nocase; detection_filter:track by_src,count 100,seconds 25; metadata:policy max-detect-ips drop,ruleset community; service:sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; http_raw_uri; bufferlen:50<=>150; http_method; content:"GET"; http_header; content:" Java/1.",fast_pattern,nocase; http_uri; content:".php?"; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:27907; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; http_uri; content:"/afr.php?zoneid="; http_header; content:"/ads/ox.html"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; http_uri; content:"/report.php?key="; http_header; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; http_uri; content:"/instapi.php?idMk="; content:"&state=",distance 0; content:"&idTime=",distance 0; content:"&idA2=",distance 0; content:"&xVal=",distance 0; http_header; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; http_uri; content:"/utilsbar/EazelBar.exe"; http_header; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; http_uri; content:"/listener.php"; http_header; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.0|0D 0A|Host:",fast_pattern,nocase; http_header; content:"Accept-Encoding: identity, *|3B|q=0|0D 0A|"; content:"|3B| MSIE "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; http_header; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|",fast_pattern,nocase; content:"|3B| MSIE "; http_client_body; pcre:"/[^ -~\r\n]{4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"Gh0st",depth 5; content:"|00 00 00|",within 3,distance 1; content:"|00 00 78 9C|",within 4,distance 2; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:27964; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data; content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values(",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"=Response",nocase; content:"FromBase64String",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"caidao=",fast_pattern,nocase; pcre:"/caidao\s?=\s?(Response|Write|Execute)/im"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"=Execute",nocase; content:"On+Error+Resume+Next:",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound command"; flow:to_server,established,only_stream; http_uri; content:"/index.php?"; content:"-dsafe_mode",distance 0; content:"-ddisable_functions",distance 0; content:"-dallow_url_fopen",distance 0; content:"-dallow_url_include",distance 0; content:"-dauto_prepend_file",distance 0; pkt_data; content:"echo.txt"; detection_filter:track by_src,count 20,seconds 60; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa20ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity; sid:28005; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; http_uri; content:"?message=",fast_pattern,nocase; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC BLYPT installer startupkey outbound traffic"; flow:to_server,established; http_uri; content:"/index.aspx?info=startupkey_",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28007; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC BLYPT installer reuse outbound traffic"; flow:to_server,established; http_uri; content:"/index.aspx?info=reuse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28008; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC BLYPT installer configkey outbound traffic"; flow:to_server,established; http_uri; content:"/index.aspx?info=configkey",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28009; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC BLYPT installer tserror outbound traffic"; flow:to_server,established; http_uri; content:"/index.aspx?info=tserror_",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28010; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC BLYPT installer createproc outbound traffic"; flow:to_server,established; http_uri; content:"/index.aspx?info=createproc_",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28011; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_client_body; content:"from=%20Nome..:",depth 15; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28026; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; http_raw_uri; bufferlen:50<=>250; http_method; content:"GET"; http_header; content:" Java/1.",fast_pattern,nocase; http_uri; content:".php?"; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28028; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.Urausy variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>95; pkt_data; content:"User-Agent|3A| Opera/10.80 |28|Windows NT 5.1|3B| U|3B| Edition Yx|3B| en|29| Presto/2.9.168 Version/11.52|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/\x2f[a-z-_]{90,}\x2e(html|php)$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28033; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Caphaw variant outbound connection"; flow:to_server,established; http_uri; content:"/ping.html?r=",fast_pattern,nocase; content:!"/utils/"; metadata:impact_flag red,ruleset community; service:http; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.CryptoLocker variant connection"; flow:to_server,established; http_uri; content:"/crypt_1_sell",fast_pattern,nocase; pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Napolar variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"v="; content:"|26|u=",within 3,distance 3; content:"|26|c=",distance 0; content:"|26|s={",distance 0; content:"}|26|w=",within 4,distance 36; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity; sid:28079; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Napolar data theft"; flow:to_server,established; http_client_body; content:".exe&h=",fast_pattern,nocase; content:"p=",depth 2; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity; sid:28080; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_uri; content:"/v22/mutabixa/",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28105; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload information upload"; flow:to_server,established; http_uri; content:"/v22/mutabixa/1nf3ct/"; content:"chave=",distance 0; content:"&url=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28106; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload download"; flow:to_server,established; http_uri; content:".jpg"; content:"User-Agent|3A| runddll32.exe",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28107; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:12; http_method; content:"GET"; http_uri; content:"/default.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28114; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:9; http_method; content:"GET"; http_uri; content:"/file.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28115; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:9; http_method; content:"GET"; http_uri; content:"/home.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28116; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:12; http_method; content:"GET"; http_uri; content:"/install.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28117; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:10; http_method; content:"GET"; http_uri; content:"/login.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28118; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/search.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28119; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:10; http_method; content:"GET"; http_uri; content:"/start.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28120; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:12; http_method; content:"GET"; http_uri; content:"/welcome.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28121; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:10; http_method; content:"GET"; http_uri; content:"/index.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28122; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:10; http_method; content:"GET"; http_uri; content:"/setup.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28123; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"/search?q=",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; content:": no-cache|0D 0A 0D 0A|"; content:!"Accept"; content:!"Referer"; http_uri; pcre:"/^\/search\?q=[0-9]$/im"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity; sid:28147; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Mevade variant outbound connection"; flow:to_server,established; http_header; content:"|0D 0A|uuid: ",fast_pattern,nocase; content:!"User-Agent:"; http_client_body; pcre:"/[^\n -~\r]{4}/"; http_header; content:"Content-Type|3A| binary/octet-stream|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b696b6a06889ed52751b39f54/analysis/; classtype:trojan-activity; sid:28148; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - /html2/"; flow:to_server,established; http_raw_uri; bufferlen:7; http_method; content:"POST"; http_uri; content:"/html2/",fast_pattern,nocase; http_header; content:!"Accept-Language:"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.1"; flow:to_server,established; http_method; content:"POST"; http_header; content:"|3B| MSIE 7.1|3B 20|",fast_pattern,nocase; content:!"Accept-Language:"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.2"; flow:to_server,established; http_method; content:"POST"; http_header; content:"|3B| MSIE 7.2|3B 20|",fast_pattern,nocase; content:!"Accept-Language:"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; isdataat:71; isdataat:!72; http_raw_uri; bufferlen:8; pkt_data; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established; http_uri; content:"/info.php?message=",fast_pattern,nocase; http_header; content:!"Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,urlquery.net/report.php?id=5117077; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:28192; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server,established; http_uri; content:"install/upgrade.php",fast_pattern,nocase; http_client_body; content:"firstrun=false"; content:"&customerid="; content:"username%5d="; content:"password%5d="; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.net-security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; http_raw_uri; bufferlen:50<=>150; http_header; content:" Java/1.",fast_pattern,nocase; http_uri; content:".php?"; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28233; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KanKan variant connection"; flow:to_server,established; http_uri; content:"/?u=",depth 4; content:"&u2="; content:"&u5=inststart"; http_header; content:"NSIS_Inetc (Mozilla)",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28242; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; http_uri; content:"/get.php?invite=",fast_pattern,nocase; http_header; content:"Accept-Encoding: gzip"; http_uri; pcre:"/^\/get.php\?invite=.*?=$/m"; http_header; content:!"Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established; http_uri; content:"/?gws_rd=cr",fast_pattern,nocase; pkt_data; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; content:!"Accept-Encoding: "; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; http_raw_uri; bufferlen:50<=>150; http_header; content:" Java/1.",fast_pattern,nocase; http_uri; content:".php?"; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28291; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant connection"; flow:to_server,established; http_uri; content:"/status/?&cmp=",fast_pattern; content:"&src=",distance 0; content:"&status=start",distance 0; content:!"User-Agent: "; content:!"Accept"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee3524983ec6962b4061813c/analysis/1381409595/; classtype:trojan-activity; sid:28300; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"FromBase64String"; content:"z",within 200,nocase; pcre:"/z\d{1,3}/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; http_uri; content:"&affid=",fast_pattern,nocase; content:"/api/",nocase; content:"?ts=",nocase; content:"&token=",nocase; content:"&group=",nocase; content:"&nid=",nocase; content:"&lid=",nocase; content:"&ver=",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28324; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:to_server,established; http_method; content:"GET"; http_uri; content:"CHR(",nocase; content:"CHR(",distance 0,nocase; content:"CHR(",distance 0,nocase; content:"CHR(",distance 0,nocase; content:"CHR(",distance 0,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28345; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28346; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>90; http_uri; content:"/p.ashx?prd=",fast_pattern; content:"&pixGuid=",distance 0; content:"&ver=",distance 0; content:"&rnd=",distance 0; http_header; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/",fast_pattern,nocase; http_header; content:"|3B| MSIE "; content:!"Accept"; content:"|29 0D 0A|Host: ",distance 0; pkt_data; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28420; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28421; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|",within 50; content:"=|27|param|27 3B 20|",within 50; content:".zip|27 3B| </script>",distance 0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; http_raw_uri; bufferlen:15; http_uri; content:".jnlp",fast_pattern; http_header; content:" Java/1."; http_uri; pcre:"/\/[a-z0-9]{9}\.jnlp$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; http_uri; content:".zip",fast_pattern; http_header; content:" Java/1."; http_uri; pcre:"/^\/\d+\/\d\.zip$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; http_raw_uri; bufferlen:<25; http_uri; content:".ld",fast_pattern,nocase; http_header; content:" Java/1."; http_uri; pcre:"/^\/\d+\.ld$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:28450; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC DeputyDog diskless method outbound connection"; flow:to_server,established; http_header; content:"User-Agent: lynx|0D 0A|",fast_pattern,nocase; http_method; content:"POST"; http_uri; pcre:"/^\x2f[0-9a-f]+$/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|key|22 3B| filename=|22|key.bin|22|",fast_pattern,nocase; content:"Content-Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|"; content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red,ruleset community; service:http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity; sid:28538; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; http_raw_uri; bufferlen:5<=>14; http_header; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: ",fast_pattern,nocase; pkt_data; content:".exe HTTP/1.0|0D 0A|Host: "; http_uri; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/#/file/eeaeb1506d805271b5147ce911df9c264d63e4d229de4464ef879a83fb225a40/detection; classtype:trojan-activity; sid:28541; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:145; isdataat:!146; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:138; isdataat:!139; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:3; )
alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 ( msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux",depth 5,offset 2; content:"lws|3A|lws",within 7,distance 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:9; http_method; content:"GET"; http_uri; content:"/main.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28553; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"GET"; http_uri; content:"/online.htm",fast_pattern,nocase; http_header; content:!"Referer"; content:!"Accept"; http_client_body; pcre:"/[^\r -~\n]{4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28554; rev:2; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 ( msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|",depth 1; content:"Qh.dll",fast_pattern,nocase; content:"sock"; content:"send"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:2; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|",depth 2,offset 4; content:"|00 01|",within 2,distance 4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|",fast_pattern,nocase; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; http_uri; bufferlen:24<=>26; content:"/f/",fast_pattern,nocase; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:28596; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; http_raw_uri; bufferlen:<30; http_uri; content:".mp3",fast_pattern,nocase; http_header; content:" Java/1."; http_uri; pcre:"/\/\d+\.mp3$/"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:",depth 45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|",fast_pattern; http_header; content:"google.com|0D 0A|"; content:"|3B 20|MSIE|20|"; content:!"Accept-Encoding: "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:17<=>27; http_header; content:"ip-who-is.com|0D 0A|",fast_pattern,nocase; http_uri; content:"/locate-ip/",depth 11; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data; content:"UPDATE|7C|",depth 7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; http_client_body; content:"|0D 0A 0D 0A|&nome=",fast_pattern,nocase; content:"conteudo=",depth 9; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28804; rev:4; )
alert udp $HOME_NET any -> $EXTERNAL_NET 2090 ( msg:"MALWARE-CNC Win.Trojan.Palevo outbound connection"; flow:to_server; dsize:21; content:"|00 00|",depth 2,offset 19; metadata:impact_flag red,ruleset community; reference:url,palevotracker.abuse.ch/?ipaddress=209.222.14.3; reference:url,palevotracker.abuse.ch/?ipaddress=31.170.179.179; classtype:trojan-activity; sid:28805; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE potential malware download - single digit .exe file download"; flow:to_server,established; http_raw_uri; bufferlen:6; pkt_data; content:".exe",fast_pattern,nocase; http_uri; pcre:"/\/[a-z0-9]\.exe$/i"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-activity; sid:28806; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:9; pkt_data; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/",fast_pattern,nocase; http_header; content:"|3B 20|MSIE|20|"; content:")|0D 0A|Host: ",distance 0; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dofoil inbound connection"; flow:to_client,established; http_header; content:"|3B 20|filename=exe.exe|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe8925278451713768d938bec86/analysis/; classtype:trojan-activity; sid:28809; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; http_raw_uri; bufferlen:1; http_uri; content:"|2F|"; http_header; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz\r\n/i"; content:!"|0A|Referer|3A|"; content:!"|0A|Cookie|3A|"; content:"|3B 20|MSIE|20|7.0|3B 20|"; content:"|2E|biz|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:28810; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; http_uri; content:"/post.aspx?forumID=",fast_pattern,nocase; http_client_body; content:"|0D 0A|URL: http",depth 11,offset 17; http_header; content:!"Accept"; http_client_body; pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28814; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; http_uri; content:"forumdisplay.php?fid=",fast_pattern,nocase; http_client_body; content:"id=",depth 3; http_header; content:!"Accept"; http_client_body; pcre:"/^id\x3d[A-F\d]{32}(\x26info\x3d[A-F\d]{24})?$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28815; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; http_uri; content:"/is-ready",fast_pattern,nocase; http_header; content:"User|2D|Agent|3A 20|"; content:"|3C 7C 3E|",within 3,distance 8; content:"|3C 7C 3E|",within 18; content:"|3C 7C 3E|Microsoft Windows",within 84; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:28817; rev:4; )
alert tcp any any -> any $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.Zollard"; flow:to_server,established; http_header; content:"User-Agent|3A| Zollard|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:28852; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot"; flow:to_server,established; http_header; content:"User-Agent|3A| z00sAgent",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5873dad08351309e13af9e5/analysis/1383673331/; classtype:trojan-activity; sid:28859; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 ( msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; http_header; content:"Host: bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; http_header; content:"Host: bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection"; flow:to_server,established; http_raw_uri; bufferlen:>150; http_uri; content:"/?",depth 2; http_header; content:"Firefox/4.0b8pre|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/is"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:28930; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download"; flow:to_server,established; http_uri; content:"/config.php?",fast_pattern,nocase; content:"version="; content:"user="; content:"server="; content:"id="; content:"crc="; content:"id="; metadata:impact_flag red,ruleset community; service:http; reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/17180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/; classtype:trojan-activity; sid:28940; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; http_raw_uri; bufferlen:>7; http_uri; content:"/exe.exe",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; http_uri; content:"/cmd?version=",fast_pattern,nocase; content:"&aid="; content:"&id=",distance 0; content:"&os=",within 4,distance 36; metadata:impact_flag red,ruleset community; service:http; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; http_uri; content:"/tx.exe",fast_pattern,nocase; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:28969; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; http_client_body; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|",fast_pattern,nocase; content:"|0D 0A|TP="; content:"|0D 0A|LGSN=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established; http_header; content:"|3B 20|Windows NT 5.0|0D 0A|Host:",fast_pattern,nocase; pkt_data; content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC"; flow:to_client,established; content:"JOIN |3A|#"; content:"!dl http://",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:irc; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28982; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Steckt IRCbot executable download"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|",fast_pattern,nocase; http_uri; content:"/launch.php"; content:"?f="; content:"&s=",distance 0; content:"&is_direct=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28983; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|",fast_pattern,nocase; http_uri; content:"/direct.php"; content:"?f="; content:"&s="; pcre:"/\x2Fdirect\.php\x3Ff=[0-9]{8}\x26s=[a-z0-9]{3}\.[a-z]{1,4}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28984; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; http_uri; content:"/site2/"; http_header; content:!"Referer|3A| "; http_cookie; content:"60gp="; content:"60gpBAK="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28985; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Worm.Neeris IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #biz abc|0D 0A|",depth 15; metadata:impact_flag red,ruleset community; service:irc; reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojan-activity; sid:28986; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #n jobs|0D 0A|",depth 14; metadata:impact_flag red,ruleset community; service:irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28987; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #test1|20 7C 0D 0A|JOIN #test2|20 7C 0D 0A|JOIN #test3 (null)|0D 0A|",depth 50; metadata:impact_flag red,ruleset community; service:irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28988; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Banload variant inbound connection"; flow:to_client,established; http_header; content:"/avcheck.exe|0D 0A 0D 0A|",fast_pattern,nocase; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_uri; bufferlen:13; content:"/webstat/?i=",depth 12,fast_pattern; http_header; content:"User-Agent: Mozilla/7"; content:"|3B 20|MSIE|20|",distance 0; content:!"Accept-Encoding:"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:29127; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; http_uri; content:"/loadmsie.php?id=",fast_pattern,nocase; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:29166; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; http_header; content:".exe|0D 0A|",fast_pattern,nocase; content:"filename="; content:".exe|0D 0A|",within 6,distance 24; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:29167; rev:6; )
alert tcp any any -> any $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string fortis"; flow:to_server,established; http_header; content:"User-Agent: fortis|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29174; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; http_raw_uri; bufferlen:34; http_uri; content:"/?",depth 2,fast_pattern; pcre:"/^\/\?[a-f0-9]{32}$/"; http_header; content:" MSIE "; content:!"Referer|3A|"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:29189; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_uri; content:"/se/gate.php"; pkt_data; content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: ",fast_pattern,nocase; http_client_body; pcre:"/\x3d\x0a$/"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity; sid:29216; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; http_uri; bufferlen:19; content:"/mod/lookfashon.jpg",fast_pattern,nocase; http_header; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; http_uri; content:"/chamjavanv.inf?aapf/login.jsp?=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; http_uri; content:"/novredir_inf.php?apt/login.jsp?=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; http_uri; bufferlen:19; content:"/FileToDownload.exe",fast_pattern,nocase; http_header; content:"Host: dl.dropbox.com|0D 0A|"; content:!"Accept"; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1102; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound connection"; flow:to_client,established; http_header; content:"|3B 20|filename=CostcoForm.zip|0D 0A|",fast_pattern,nocase; file_data; content:"CostcoForm.exe"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; http_client_body; content:"rotina=UPDATE&tip=stat&nome=",depth 28,fast_pattern; content:"&tmp=",distance 0; content:"&stat=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349; rev:2; )
alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established; isdataat:9; isdataat:!20; content:"|05 29 00 00 00 05 29 00 00 00|",fast_pattern,nocase; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] ( msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration"; flow:to_server,established; isdataat:1440; content:"|03 2B 82 86 02 A0 05|",fast_pattern,nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] ( msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established; isdataat:4; isdataat:!5; content:"|05 29 00 00 00|",fast_pattern,nocase; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY Adobe AIR file download request"; flow:to_server,established; http_uri; content:".air",fast_pattern,nocase; pcre:"/\x2eair([\?\x5c\x2f]|$)/ims"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:29384; rev:14; )
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any ( msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_client,established; content:".air",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:imap,pop3; classtype:misc-activity; sid:29385; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_server,established; content:".air",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:29386; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:6; pkt_data; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 (",fast_pattern,nocase; http_header; content:"|3B| MSIE "; content:"google."; content:!"Accept-"; http_cookie; content:"NID=",depth 4; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same "; flow:to_client,established; http_header; content:"Receipt",fast_pattern,nocase; content:".zip"; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/i"; file_data; content:"PK",depth 2; content:".exe",within 50; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29396; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same "; flow:to_client,established; http_header; content:"Shipping",fast_pattern,nocase; content:".zip"; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/i"; file_data; content:"PK",depth 2; content:".exe",within 50; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29397; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same "; flow:to_client,established; http_header; content:"voicemail",fast_pattern,nocase; content:".zip"; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/i"; file_data; content:"PK",depth 2; content:".exe",within 50; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29398; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same "; flow:to_client,established; http_header; content:"statement",fast_pattern,nocase; content:".zip"; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/i"; file_data; content:"PK",depth 2; content:".exe",within 50; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29399; rev:4; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI",depth 32; metadata:policy max-detect-ips drop,ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:2; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv",depth 32; metadata:policy max-detect-ips drop,ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:2; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI",depth 32; content:!"0123456789abcdefghijklmnopqrstuv",depth 32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE",depth 36; content:!"WANG2"; content:!"cacti-monitoring-system",depth 65; content:!"SolarWinds",depth 72; metadata:policy max-detect-ips drop,ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:3; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi",depth 32; metadata:policy max-detect-ips drop,ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Fexel variant outbound connection"; flow:to_server,established; content:"|0A|Agtid|3A 20|"; content:"08x|0D 0A|",within 5,distance 8; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f638733e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity; sid:29459; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established; content:"JOIN|20|#vnc|0A|",depth 10; content:"PRIVMSG|20|#vnc|20 3A|",within 14; content:"status checking program online",within 30,distance 7,nocase; metadata:impact_flag red,ruleset community; service:irc; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; classtype:trojan-activity; sid:29569; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: ",fast_pattern,nocase; http_uri; content:"/debug/Version/",depth 15; http_header; content:!"Accept"; content:!"User-Agent:"; metadata:impact_flag red,ruleset community; service:http; reference:url,file-analyzer.net/analysis/1546/6325/0/html#network; reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; http_client_body; content:"&bolausado",fast_pattern,nocase; content:"rotina=",depth 7; content:"&casa=",distance 0; content:"&idcliente",distance 0; content:"&outro=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:29665; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20; http_method; content:"POST"; http_uri; content:"/uplink.php?logo.jpg",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/5.0"; http_client_body; content:"token=",depth 6; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:29666; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto"; flow:to_server,established; http_header; content:"Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29760; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Careto outbound connection"; flow:to_server,established; http_uri; content:"Group|3D|"; content:"Install|3D|"; content:"Ver|3D|"; content:"Ask|3D|"; content:"Bn|3D|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29788; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; http_uri; content:"/ag/plugin.crx",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; http_uri; content:"/l/af_l_addon.xpi",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; http_uri; content:"/m/f_l_addon.xpi",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server,established; http_uri; content:"/post"; http_header; content:"User-Agent: something",fast_pattern,nocase; http_client_body; content:"mac="; content:"&t1=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29816; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:"/post/echo",fast_pattern,nocase; http_header; content:!"User-Agent:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29817; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq"; flow:to_server,established; http_header; content:"User-Agent: TixDll|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection"; flow:to_server,established; http_uri; content:"/get/?ver=",depth 10; content:"&aid=",distance 0; content:"&hid=",distance 0; content:"&rid=",distance 0; content:"&data=",distance 0; http_header; content:!"Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29828; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HNAP remote code execution attempt"; flow:to_server,established; http_raw_uri; bufferlen:6; http_uri; content:"/HNAP1",fast_pattern,nocase; http_header; content:"Authorization: Basic YWRtaW46"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633; classtype:attempted-admin; sid:29829; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:to_server,established; http_uri; content:"/tmUnblock.cgi",fast_pattern,nocase; http_client_body; content:"%74%74%63%70%5f%69%70"; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:to_server,established; http_uri; content:"/tmUnblock.cgi",fast_pattern,nocase; http_client_body; content:"ttcp_ip"; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established; http_header; content:"filename=|22|full__setup.zip|22 0D 0A|",fast_pattern,nocase; file_data; content:"full__setup.exe",depth 200; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:33; http_uri; content:"/read/swf/searchProductResult.jsp",fast_pattern,nocase; http_cookie; content:"cache=cc2=",depth 10; content:"|3B| core=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; http_uri; content:"/download.asp?p=",nocase; http_header; content:" Java/1.",fast_pattern,nocase; http_uri; pcre:"/\/download\.asp\?p\=\d$/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: ",fast_pattern,nocase; content:"POST /",depth 6; content:" HTTP/1.1",within 9,distance 42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:6; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Napolar phishing attack"; flow:to_client,established; content:"facebook.com.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Pony HTTP response connection"; flow:to_client,established; http_header; content:"Content-Length: 16"; file_data; content:"STATUS-IMPORT-OK",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,file-analyzer.net/analysis/1830/6840/0/html; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29870; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; isdataat:68; isdataat:!69; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/gate.php",fast_pattern,nocase; http_header; content:"|3B 20|MSIE|20|"; content:!"Accept-Language:"; content:!"Referer:"; content:!"Accept-Encoding:"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:29884; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre"; flow:to_server,established; http_header; content:"User-Agent|3A| Updates downloader|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity; sid:29887; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_header; content:!"Referer|3A 20|"; content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octet-stream|0D 0A|Content-Length|3A| ",depth 93; content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|",distance 0; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:29891; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: ",fast_pattern,nocase; http_client_body; content:"v=",depth 2; content:"&c=",within 7; pcre:"/\x3d\x3d$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/prl/el.html",fast_pattern,nocase; pkt_data; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e00541759eb18a31f959da521a9/analysis/; reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Tiny variant outbound connection"; flow:to_server,established; http_uri; content:"/ie-error.gif?action=utility",fast_pattern,nocase; content:"&os="; content:"&error=",distance 0; content:"&rnd=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity; sid:29981; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; http_uri; content:".php?a=dw",fast_pattern,nocase; pcre:"/\?a=dw[a-z]$/"; http_header; content:" Java/1."; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:14; http_method; content:"POST"; http_uri; content:"/and/image.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_client_body; pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; http_raw_uri; bufferlen:21; http_uri; content:"/android/sms/sync.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_client_body; content:"bot_id="; content:"&imei=",distance 0; content:"&iscallhack=",distance 0; content:"&issmshack=",distance 0; content:"&isrecordhack=",distance 0; content:"&isadmin=",distance 0; content:"&control_number=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; http_raw_uri; bufferlen:21; http_method; content:"POST"; http_uri; content:"/android/sms/ping.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; http_raw_uri; bufferlen:22; http_uri; content:"/android/sms/index.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_client_body; content:"bot_id="; content:"&number=&iccid=&model=",distance 0; content:"&imei=",distance 0; content:"&os=",distance 0; content:"&control_number=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gamut configuration download"; flow:to_server,established; http_uri; content:"|26|file=SenderClient.conf",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30087; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:13; pkt_data; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: ",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Referer:"; content:!"Accept"; metadata:ruleset community; service:http; reference:url,file-analyzer.net/analysis/2306/8066/0/html#network; reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Uroburos usermode-centric client request"; flow:to_server,established; http_uri; content:"/1/6b-558694705129b01c0",fast_pattern,nocase; pkt_data; content:"Connection: Keep-Alive|0D 0A|",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30191; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:"/tmp/image.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; content:!"Accept"; http_client_body; pcre:"/^[a-z\d\x2b\x2f\x3d]{48,256}$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c676db3798b733851a6b37ef6b0bc5f3be/analysis; classtype:trojan-activity; sid:30196; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_header; content:".xpg.com.br|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9d55fbb2e42fd640fee1eac/analysis/; classtype:trojan-activity; sid:30198; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; http_uri; content:"/f/",depth 3; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:30220; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| pt-BR|3B| rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|",fast_pattern,nocase; http_header; content:"|0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; pkt_data; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:30234; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User"; flow:to_client,established; http_header; content:"Content-Length: 6|0D 0A|"; file_data; content:"BRASIL",depth 6,fast_pattern; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30255; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User"; flow:to_client,established; http_header; content:"Content-Length: 13|0D 0A|"; file_data; content:"INTERNACIONAL",depth 13,fast_pattern; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30256; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; pkt_data; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: ",fast_pattern,nocase; http_header; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968ca41f06b900d703a27064e/analysis/1393266939/; reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/forumdisplay.php?fid=",fast_pattern,nocase; http_client_body; content:"id=",depth 3; content:"&iv=",within 4,distance 36; http_header; content:!"Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e14248045e467c6568926cb494/analysis/1386078525/; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; http_uri; content:"/20",depth 3; http_header; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|",fast_pattern,nocase; http_uri; content:".inf",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; http_uri; content:"/gcs?alpha=",fast_pattern,nocase; pkt_data; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Accept"; content:!"User-Agent:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; http_uri; content:"/gdi?alpha=",fast_pattern,nocase; pkt_data; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"Accept"; content:!"User-Agent:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:"lista"; http_client_body; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|",fast_pattern,nocase; content:".log|22 0D 0A|",nocase; http_header; content:!"Accept-"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: ( msg:"MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection"; flow:to_server,established; content:"/stat?"; content:"uptime="; content:"&downlink=",distance 0; content:"&uplink=",distance 0; content:"&id=",distance 0; content:"&statpass=bpass",distance 0,fast_pattern; content:"&version=",distance 0; content:"&features=",distance 0; content:"&guid=",distance 0; content:"&comment=",distance 0; content:"&p=",distance 0; content:"&s=",distance 0; metadata:ruleset community; service:http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30288; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; http_uri; content:".mp3?rnd=",fast_pattern,nocase; pcre:"/\/\d+\.mp3\?rnd=\d+$/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:30319; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.Calfbot outbound connection"; flow:to_server,established; http_uri; content:"/b/index.php?id=",fast_pattern,nocase; content:"&sent="; content:"&notsent=",distance 0; content:"&stat=",distance 0; metadata:ruleset community; service:http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30336; rev:2; )
alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection"; flow:to_client,established; content:"E|00|N|00|D|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30482; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 ( msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; content:"GET /123456789.functionss",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30483; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 ( msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; isdataat:!19; content:"myversion|7C|",fast_pattern,nocase; pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red,ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|",depth 3; detection_filter:track by_src,count 3,seconds 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|",depth 3; detection_filter:track by_src,count 3,seconds 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|",depth 3; detection_filter:track by_src,count 3,seconds 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|",depth 3; detection_filter:track by_src,count 3,seconds 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:8; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|",depth 3; byte_test:2,>,128,0,relative; content:"|02|",within 1,distance 2; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:11; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|",depth 3; byte_test:2,>,128,0,relative; content:"|02|",within 1,distance 2; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:11; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|",depth 3; byte_test:2,>,128,0,relative; content:"|02|",within 1,distance 2; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:11; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|",depth 3; byte_test:2,>,128,0,relative; content:"|02|",within 1,distance 2; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|",depth 3; byte_test:2,>,128,3; detection_filter:track by_dst,count 2,seconds 5; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|",depth 3; byte_test:2,>,128,3; detection_filter:track by_dst,count 2,seconds 5; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|",depth 3; byte_test:2,>,128,3; detection_filter:track by_dst,count 2,seconds 5; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|",depth 3; byte_test:2,>,128,3; detection_filter:track by_dst,count 2,seconds 5; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 02 00 03 01 40 00|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] ( msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; isdataat:68; isdataat:!69; content:"|18 03 03 00 40|",depth 5; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:1; http_method; content:"POST"; http_header; content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|",fast_pattern,nocase; content:!"User-Agent|3A|"; content:!"Accept|3A|"; pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/m"; metadata:impact_flag red,ruleset community; service:http; reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:6; http_method; content:"POST"; http_uri; content:"/write"; http_header; content:"Host: default|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html; reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Minerd"; flow:to_server,established; http_raw_uri; bufferlen:>10; http_uri; content:"/minerd.exe",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Systema"; flow:to_server,established; http_raw_uri; bufferlen:20; http_uri; content:"/aviatic/systema.exe",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 ( msg:"MALWARE-CNC Linux.Trojan.Elknot outbound connection"; flow:to_server,established; isdataat:400; isdataat:!401; content:"Linux|20|",depth 6,offset 17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_",fast_pattern,nocase; content:"PK",depth 2; content:".pif",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; http_uri; content:"/cache/pdf_efax_",fast_pattern,nocase; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; http_header; content:"filename=FuneralCeremony_",fast_pattern,nocase; content:".zip",nocase; file_data; content:"FuneralCeremony_"; content:".exe",distance 0,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:6; pkt_data; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 (",fast_pattern,nocase; http_header; content:"|3B| MSIE "; content:"google."; content:!"Accept-"; http_cookie; content:"PREF=",depth 5; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/; reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f205711cdbad3e4b1bde7be2d75/analysis/; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:5; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|",within 3,fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|",within 3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|",within 3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:4; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|",within 3; byte_test:2,>,128,0,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:5; )
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|",within 3; byte_test:2,>,128,0,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:5; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|",depth 4; content:"|00 00|",within 2,distance 24; content:".exe",within 64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30906; rev:3; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|",depth 4; content:"|00 00|",within 2,distance 24; content:".exe",within 64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30909; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|",fast_pattern,nocase; pkt_data; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; http_client_body; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; http_header; content:"User-Agent: User-Agent: Mozilla/",fast_pattern,nocase; pkt_data; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/js/prototype/order.php",fast_pattern,nocase; pkt_data; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; http_header; content:"|3B 20|MSIE|20|",distance 0; content:"|29 0D 0A|Host:",distance 0; content:!"Accept"; content:!"|0D 0A|Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; http_raw_uri; bufferlen:72; http_method; content:"POST"; http_uri; content:".php?q=",fast_pattern,nocase; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:30920; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http,ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; http_uri; content:"/load"; content:".php",distance 0; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:7; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe",fast_pattern,nocase; http_header; content:"Content-Length:"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:30997; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe",fast_pattern,nocase; http_header; content:"Content-Length:"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:30998; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe",fast_pattern,nocase; http_header; content:"Content-Length:"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:30999; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe",fast_pattern,nocase; http_header; content:"Content-Length:"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:31000; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe",fast_pattern,nocase; http_header; content:"Content-Length:"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:31001; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/hunter/123/order.php",fast_pattern,nocase; http_header; content:!"Accept"; content:!"|0D 0A|Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:31020; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; http_method; content:"POST"; pkt_data; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b381b74fcfd2e4db73689af/analysis/; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MadnessPro outbound connection"; flow:to_server,established; http_uri; content:"/?"; content:"uid="; content:"&mk=",fast_pattern; content:"&os="; content:"&rs="; content:"&c="; content:"&rq="; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-activity; sid:31053; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Necurs outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:15; http_uri; content:"/docs/index.php",fast_pattern,nocase; http_header; content:"Content-Type|3A 20|application/octet-stream"; content:!"User-Agent|3A 20|"; content:!"Accept|3A 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:11; http_uri; content:"/srt/ge.php",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojan-activity; sid:31084; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent hello crazyk"; flow:to_server,established; http_header; content:"User-Agent: hello crazyk|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218ba895c1f4a/analysis/; classtype:trojan-activity; sid:31090; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos password stealing attempt"; flow:to_server,established; http_client_body; content:"rotina=plogin&login=",fast_pattern,nocase; content:"&senha="; content:"&casa=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_client_body; content:")&dt=",fast_pattern,nocase; content:"pc=",depth 3; content:"&av=",distance 0; content:"&wd=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31113; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] ( msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection"; flow:to_server; dsize:16; content:"|28 94 8D AB|",depth 4,offset 4; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:31136; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_method; content:"POST"; pkt_data; content:"/notify.php HTTP/1.0|0D 0A|",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; content:"Content-Length: 0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31221; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:17; http_uri; content:"/second/game1.inf",fast_pattern,nocase; http_header; content:"|3B 20|MSIE|20|"; content:!"Accept-Language:"; content:!"Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31222; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:15; pkt_data; content:"/news/index.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: ",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Referer:"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojan-activity; sid:31243; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] ( msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:43; pkt_data; content:"POST /",depth 6; content:" HTTP/1.1",within 9,distance 42; content:"Firefox/",distance 0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:31244; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt"; flow:to_client,established; file_data; content:"function FindProxyForURL(url, host)",depth 35; content:"yx0=0|3B|yx1=1|3B|yx2=2|3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22 22|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnet-hosted.html; classtype:trojan-activity; sid:31260; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi outbound connection"; flow:to_server,established; content:".inf HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: Mozilla/",fast_pattern,nocase; http_header; content:"|3B 20|MSIE|20|"; pkt_data; pcre:"/\)\r\nHost\x3a\x20[\d\x2e]{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity; sid:31261; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.VBNA variant outbound connection"; flow:to_server,established; http_uri; content:"/0.gif?",depth 7; pkt_data; content:" HTTP/1.1|0D 0A|Host: sstatic1.histats.com|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/; reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d670077eca14a0f4309f9e26/analysis/; reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf452f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity; sid:31262; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_server,established; content:"/publickey/ HTTP/1.1|0D 0A|User-Agent: Wget/1.9|0D 0A|Host: ",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:31293; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; http_uri; content:"/workers.php?mac=",fast_pattern,nocase; content:"&gpu="; http_header; content:!"|0D 0A|User-Agent:"; content:!"|0D 0A|Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MSIL variant outbound connection"; flow:to_server,established; content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: ",fast_pattern,nocase; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_header; content:!"User-Agent:"; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/; classtype:trojan-activity; sid:31315; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"Transfer-Encoding: Chunked",fast_pattern,nocase; content:"|0D 0A|",distance 0; byte_test:8,>,2147483647,0,relative,string,hex; content:"|20|",within 9; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:31405; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:4; http_uri; content:"/re/",fast_pattern,nocase; pkt_data; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; http_header; content:"|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e279651c8f19fa6392f3d837/analysis/; reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established; http_raw_uri; bufferlen:<20; http_header; content:"User-Agent|3A 20|macrotest|0D 0A|",fast_pattern,nocase; http_uri; pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]{3}\x2eccs/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31449; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.CryptoWall outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:<17; pkt_data; content:"HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Connection: Close|0D 0A|Content-Length: 100|0D 0A|User-Agent: ",fast_pattern,nocase; http_client_body; content:"=",depth 1,offset 1; pcre:"/[a-z]=[a-f0-9]{98}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31450; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; http_uri; content:"Service Pack ",fast_pattern,nocase; http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: ",fast_pattern,nocase; http_header; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:to_server,established; http_raw_uri; bufferlen:25<=>32; http_uri; content:".html?0.",depth 11,offset 2; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SDBot variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:8; http_uri; content:"/install"; http_client_body; content:"argc=",depth 5; content:"&name=",distance 0; content:"&previous=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; http_uri; content:"/query?version=",fast_pattern,nocase; content:"&sid="; content:"&builddate=",distance 0; content:"&q=",distance 0; content:"&ref=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31465; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; http_header; content:"|0D 0A|builddate:",fast_pattern,nocase; content:"|0D 0A|aid: "; content:"|0D 0A|redirect: http://"; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31466; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:9; http_uri; content:"/gate.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31467; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/viewforum.php?f=",fast_pattern,nocase; content:"&sid="; http_header; content:!"Referer:"; content:!"Cookie:"; http_uri; pcre:"/sid=[0-9A-F]{32}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc05835afa772fde8627e72b2/analysis/; classtype:trojan-activity; sid:31468; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC Win.Trojan.HW32 variant spam attempt"; flow:to_server,established; content:"MAIL FROM: <Reademal.com>|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:smtp; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:"/index.php?email=libpurple_XMPP",fast_pattern,nocase; content:"&method=post"; pkt_data; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE MinerDeploy monitor request attempt"; flow:to_server,established; http_uri; content:"/monitor.php?",fast_pattern; content:"myid=",distance 0; content:"&ip=",distance 0; content:"&cgminer=",distance 0; content:"&operatingsystem=",distance 0; http_header; content:!"Content-Length|3A 20|"; content:!"Content-Type|3A 20|"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.SMSSend outbound connection"; flow:to_server,established; http_uri; content:"sms"; content:".ashx?t=",fast_pattern,nocase; http_header; content:!"User-Agent|3A 20|"; content:!"Accept|3A 20|"; content:!"Content-Type|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojan-activity; sid:31593; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"HELLO|0A|"; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READD|0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READY|0A|"; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Glupteba payload download request"; flow:to_server,established; http_uri; content:"/software.php?",fast_pattern,nocase; http_header; content:"Accept|3A| */*"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.1|3B|"; http_uri; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31606; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server"; flow:to_server,established; isdataat:14; isdataat:!18; content:"|3A|bpass|0A|",fast_pattern,nocase; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/"; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: ",fast_pattern,nocase; content:"|0D 0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_client_body; pcre:"/[^\x20-\x7e\r\n]{3}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:4; http_uri; content:"/de/",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established; http_uri; content:"/api.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Apache-HttpClient|2F|UNAVAILABLE"; http_client_body; content:"method="; content:"&app_key="; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity; sid:31644; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:16; http_uri; content:"/boydn/boye.html",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31649; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Tirabot variant outbound connection"; flow:to_server,established; http_client_body; content:"&string=",fast_pattern,nocase; content:"key=",depth 4; http_header; content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|"; http_uri; content:".php"; pkt_data; pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojan-activity; sid:31680; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/support.exe",fast_pattern,nocase; pkt_data; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; http_header; content:") Chrome/",distance 0; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; http_raw_uri; bufferlen:9; http_uri; content:"/tmps.exe",fast_pattern,nocase; http_header; content:"Proxy-Authorization: Basic |0D 0A|"; http_cookie; content:"__cfduid=",depth 9; http_header; content:") Chrome/"; content:!"Accept-"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Badur variant outbound connection"; flow:to_server,established; http_uri; content:"/get/?data=",depth 11; http_header; content:"User-Agent: win32|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF",depth 6,offset 4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Banker.Delf variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"POST"; http_uri; content:"/notify.php"; http_header; content:"Content-Length: 0|0D 0A|"; pkt_data; content:" HTTP/1.0|0D 0A|"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; http_client_body; content:"dados=",depth 6; content:"&ct=",distance 0; content:"/",within 1,distance 2; content:"/201",within 4,distance 2; content:"=",within 1,distance 1; content:"&windows=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Delf variant HTTP Response"; flow:to_client,established; content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22| content=|22 A4|",depth 29; content:"|A4 22|/>",within 4,distance 168; pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: ",fast_pattern,nocase; http_header; content:!"Accept"; content:!"Referer:"; pkt_data; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS ( msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS ( msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:policy balanced-ips alert,policy security-ips alert,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:9; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_server,established; file_data; content:"|FF D8 FF|",depth 3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:31871; rev:11; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/trdpr/trde.html",fast_pattern,nocase; http_header; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established; file_data; content:"%set_intercepts%",fast_pattern,nocase; content:"%ban_contact%"; content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:".php?method="; content:"&mode=sox&v=",fast_pattern,nocase; pkt_data; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; http_header; content:!"User-Agent:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; http_uri; content:"/notify.php",fast_pattern,nocase; http_header; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f",distance 0,fast_pattern; flowbits:set,file.exploit_kit.flash&file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight; metadata:ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; http_uri; bufferlen:>60; http_method; content:"POST"; http_uri; pcre:"/\x2f[\w\x2d]*\x2e+$/m"; http_header; content:"Referer|3A 20|"; content:"x-req|3A 20|",fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|"; content:"Pragma|3A 20|no-cache|0D 0A|"; flowbits:set,file.exploit_kit.flash&file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight; metadata:ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; http_uri; bufferlen:>60; pkt_data; content:"GET"; content:".. HTTP/1.",fast_pattern,nocase; http_uri; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/m"; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; flowbits:set,file.exploit_kit.flash&file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chebri variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; pkt_data; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: ",fast_pattern,nocase; http_client_body; content:"0=",depth 2; http_header; content:"Accept-Encoding: none|0D 0A 0D 0A|"; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; http_client_body; content:"() {",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; gid:1; sid:31976; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; http_uri; content:"() {",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; http_header; content:"() {",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:5; )
alert udp $HOME_NET 67 -> $HOME_NET 68 ( msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt"; flow:stateless; content:"() {",fast_pattern,nocase; content:"|02 01 06 00|",depth 4; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK",depth 2; content:"DeltaTicket_ET-RM-",distance 0,nocase; content:".exe",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command"; flow:to_client,established; isdataat:!14; content:"|21 2A 20|SCANNER ON",fast_pattern,nocase; metadata:ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 ( msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound telnet connection attempt"; flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|5C|141|5C|171|5C|146|5C|147|5C|164|27 0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32010; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; isdataat:9; isdataat:!10; content:"BUILD X86|0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:5; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {",fast_pattern,nocase; content:"MAIL",nocase; content:"FROM|3A|",distance 0,nocase; pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {",fast_pattern,nocase; content:"RCPT",nocase; content:"TO|3A|",distance 0,nocase; pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3; )
alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4; )
alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"USER ",depth 5; content:"() {",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32043; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Asprox inbound connection"; flow:to_client,established; http_header; content:"Content-Length: 30"; file_data; content:"|3C|html|3E 3C|body|3E|hi!|3C 2F|body|3E 3C 2F|html|3E|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32065; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:20<=>23; http_uri; content:"/b/pkg/T202",depth 11,fast_pattern; http_header; content:"UA-CPU: "; pkt_data; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_uri; pcre:"/\x2fb\x2fpkg\x2fT202[0-9a-z]{10}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32066; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:46<=>51; http_uri; content:"/x/",depth 3,fast_pattern; pkt_data; content:"UA-CPU: "; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; http_uri; pcre:"/\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32067; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"PASS ",depth 5; content:"() {",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32069; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zemot configuration download attempt"; flow:to_server,established; http_uri; content:"/mod_"; content:"/soft"; content:".dll",fast_pattern,nocase; http_header; content:"Connection|3A 20|Close|0D 0A|"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"Referer"; http_uri; pcre:"/\x2fsoft(64|32)\x2edll$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32072; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zemot outbound connection"; flow:to_server,established; http_uri; content:"/b/shoe/",fast_pattern,nocase; http_header; content:"Connection|3A 20|Close|0D 0A|"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"Referer"; http_uri; pcre:"/\x2fb\x2fshoe\x2f[0-9]{3,5}$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32073; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zemot payload download attempt"; flow:to_server,established; http_uri; content:"/mod_articles-auth-",depth 19,fast_pattern; content:"/jquery/",within 8,distance 7; http_header; content:"Accept: */*|0D 0A|Connection|3A 20|Close|0D 0A|"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32074; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/beta/order.php",fast_pattern,nocase; pkt_data; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; http_header; content:"|3B 20|MSIE|20|",distance 0; content:"|29 0D 0A|Host:",distance 0; content:!"Accept"; content:!"|0D 0A|Referer:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] ( msg:"MALWARE-CNC WIN.Trojan.Plugx variant outbound connection"; flow:to_server,established; content:"HHV1:"; content:"HHV2:",within 20; content:"HHV3: 61456",within 20,fast_pattern; content:"HHV4:",within 20; metadata:impact_flag red,ruleset community; service:dns,http,ssl; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32179; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt"; flow:to_client,established; isdataat:15; isdataat:!16; content:"|85 19 00 00 25 04 00 00|",depth 8; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt"; flow:to_server,established; isdataat:15; isdataat:!16; content:"|86 19 00 00 04 01 00 00|",depth 8; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Zxshell variant outbound connection"; flow:to_server,established; content:"|20|OS|3A 20|"; content:"|20|CPU|3A|",distance 0; content:"Hz,RAM|3A|",distance 0; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a9338ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity; sid:32192; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; http_client_body; content:"form-data|3B| name=|22|PLUG|22 0D 0A|",fast_pattern,nocase; content:"form-data|3B| name=|22|PC|22 0D 0A|"; content:"form-data|3B| name=|22|SEG|22 0D 0A|",distance 0; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:27; http_uri; content:"/blog-trabajos/n65dj17i1836",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:3; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//",fast_pattern,nocase; content:"document.cookie",nocase; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established; http_uri; content:"/info.xml"; http_header; content:"Host:"; content:"update-adobe.com",within 30; metadata:ruleset community; service:http; classtype:trojan-activity; sid:32250; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl",fast_pattern,nocase; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; classtype:trojan-activity; sid:32260; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:" () {",depth 50; http_uri; bufferlen:>0; pkt_data; content:!"HTTP/"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32335; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; content:"}",within 25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/im"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<10; http_uri; content:"/update"; http_method; content:"POST"; http_header; content:"|0D 0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: ",fast_pattern,nocase; content:!"User-Agent:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:3; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_server,established; file_data; content:"aim|3A|goaway?message=",nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:32370; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:13; http_method; content:"POST"; http_uri; content:"/and/gate.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:32374; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY bmp file attachment detected"; flow:to_server,established; content:".bmp",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32378; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 ( msg:"FILE-IDENTIFY dib file attachment detected"; flow:to_server,established; content:".dib",fast_pattern,nocase; content:"Content-Disposition: attachment|3B|"; content:"filename=",nocase; pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32380; rev:12; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; http_uri; content:"/f/",depth 3; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/"; flowbits:set,file.exploit_kit.pe; metadata:ruleset community; service:http; classtype:trojan-activity; sid:32386; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:16; http_uri; content:"/cbrry/cbre.html",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_client_body; content:"plug=NAO",fast_pattern,nocase; pkt_data; content:".php HTTP/1.0|0D 0A|"; http_header; content:"Content-Length: 8"; metadata:impact_flag red,ruleset community; service:http; reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/; reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Geodo variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:1; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|",fast_pattern,nocase; content:!"Accept-Language:"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established; http_uri; content:"/seo.php?username=MAREYOLE&format=ptp",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established; http_uri; content:"/verifica/index.php?id=",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"INTERNACIONAL",depth 13; http_header; content:!"Content-Length"; content:"Transfer-Encoding: chunked"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"BRASIL",depth 6; http_header; content:!"Content-Length"; content:"Transfer-Encoding: chunked"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string RUpdate"; flow:to_server,established; content:"User-Agent: RUpdate|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32645; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; http_uri; content:"/search?btnG="; content:"utm=",distance 0; content:"ai=",distance 0; http_client_body; content:!".",depth 20; content:!"|22|",depth 20; content:!"|3A|",depth 20; isdataat:500,relative; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32665; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; http_uri; content:"/webhp?rel="; content:"hl=",distance 0; content:"ai=",distance 0; http_client_body; content:!".",depth 20; content:!"|22|",depth 20; content:!"|3A|",depth 20; isdataat:500,relative; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32667; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Dropper.Ch variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/tasks.php",fast_pattern,nocase; http_header; content:"Content-length:"; content:"Content-type:"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d0321bc371fa475d689ffe658/analysis/; classtype:trojan-activity; sid:32670; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] ( msg:"MALWARE-CNC Win.Trojan.Wiper variant outbound connection"; flow:to_server,established; isdataat:41; isdataat:!42; content:"(|00|",depth 2; content:"|04 00 00 00|",within 4,distance 36; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC FIN4 VBA Macro credentials upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/report.php?msg=",fast_pattern,nocase; content:"&uname="; content:"&pword="; http_header; content:"Content-Length|3A 20|0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity; sid:32776; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; http_uri; content:"/images/view.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|"; content:"Media Center PC 6.0",within 175; content:!"Accept|3A 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32823; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection"; flow:to_server,established; http_uri; content:"/txt/read.php",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|"; content:"Media Center PC 6.0",within 175; content:!"Accept|3A 20|"; content:!"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32824; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; http_uri; content:"/bin/read_i.php?"; content:"a1="; content:"&a2=step2-down",fast_pattern,nocase; content:"&a3="; content:"&a4="; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32825; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/html/docu.php"; http_header; content:"User-Agent|3A 20|"; content:"Media Center PC 6.0",within 175; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32826; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Darkhotel response connection attempt"; flow:to_client,established; file_data; content:"DEXT87"; pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32827; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; http_header; content:"Host|3A| 209.53.113.223|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32845; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; http_header; content:".absolute.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; pcre:"/^m\d+\.absolute\.com$/i"; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32846; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; http_header; content:"Host|3A| bh.namequery.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32847; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; http_header; content:"Host|3A| namequery.nettrace.co.za|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32848; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; http_header; content:"Host|3A| search.us.namequery.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32849; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; http_header; content:"Host|3A| search2.namequery.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32850; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; http_header; content:"Host|3A| search64.namequery.com|0D 0A|",fast_pattern,nocase; content:"TagId: "; metadata:ruleset community; service:http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; gid:1; sid:32851; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server,established; http_uri; content:"/11/form.php",fast_pattern,nocase; http_method; content:"POST"; http_header; content:!"Accept"; http_client_body; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGi"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server,established; http_uri; content:"/11/feed.php",fast_pattern,nocase; http_method; content:"POST"; http_header; content:!"Accept"; http_client_body; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGi"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; http_raw_uri; bufferlen:1; http_method; content:"GET"; http_header; content:"/wp-admin/",fast_pattern,nocase; content:"Host: www.fedex.com|0D 0A|"; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR",within 8; byte_test:4,>,32767,0,relative; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:2; )
alert tcp $EXTERNAL_NET 488 -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 488 ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|",depth 2,offset 16; content:"|75 14 2A 2A|",within 4,distance 4; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:2; )
alert tcp $EXTERNAL_NET 488 -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 488 ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:2; )
alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|",offset 17; content:"|08 2A 2A 01 00|",distance 0; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|",depth 16; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|",depth 50; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|",depth 74; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|",depth 22; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|",depth 18; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|",depth 24; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|",depth 23; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|",depth 22; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|",depth 18; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|",depth 18; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:2; )
alert tcp any any -> any any ( msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|",depth 4,fast_pattern; content:"|49 49 49 49|",within 4,distance 4; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Android.CoolReaper.Trojan outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/dmp/api/",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|UAC/1.0.0 (Android "; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity; sid:32956; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:17; http_uri; content:"/checkupdate.asmx",fast_pattern,nocase; http_header; content:"SOAPAction|3A 20|"; pkt_data; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web Services Client Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|File)\x22/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32957; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.TinyZBot response connection attempt"; flow:to_client,established; file_data; content:"<?xml"; content:"<soap:Body><GetFileListResponse xmlns=|22|http|3A 2F 2F|",within 70,distance 200; content:"<GetFileListResult><string>[ALL]__",within 75,fast_pattern; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32958; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/w1/feed.php",fast_pattern,nocase; http_raw_uri; bufferlen:12; http_header; content:!"Connection|3A 20|"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32976; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/w1/form.php",fast_pattern,nocase; http_raw_uri; bufferlen:12; http_header; content:!"Connection|3A 20|"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32977; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: realupdate|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:33047; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Medusa variant inbound connection"; flow:to_client,established; isdataat:!509; content:"|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|",distance 0; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:33058; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/bbc_mirror/"; content:"search?id=",distance 0; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:33059; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"CNN_Mirror/EN"; content:"search?id=",distance 0; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:33060; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Heur variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_raw_uri; bufferlen:17; http_uri; content:"/01/WindowsUpdate",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity; sid:33153; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:33207; rev:4; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:",fast_pattern,nocase; content:"{|22|time|22|:"; content:"|22|country|22|",within 30; content:",|22|countryId|22|:",within 20; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:9; http_method; content:"POST"; http_uri; content:"/2ldr.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/4.0|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"HawkEye Keylogger",fast_pattern,nocase; content:"Subject: =?utf-8?B"; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?",fast_pattern; content:"=?=|0D 0A|",within 150; flowbits:set,hawk.lgr; flowbits:noalert; metadata:ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard",fast_pattern,nocase; content:"=0D=0AKeyboard",nocase; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot",fast_pattern,nocase; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|",fast_pattern,nocase; content:!"Accept"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; isdataat:135; isdataat:!136; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|",fast_pattern,nocase; http_header; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/form2.php",fast_pattern,nocase; http_header; content:!"Accept"; http_client_body; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; http_uri; content:"/js/jquery-",fast_pattern; content:".js?",within 15,distance 1; pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/Gi"; http_header; content:"Referer|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33282; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:"/r1xpr/r1xe.html",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; http_uri; content:"/m343ff4ufbnmm4uu4nf34m443frr/",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; isdataat:213; isdataat:!214; http_raw_uri; bufferlen:1; pkt_data; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_client_body; content:"=",depth 2; http_header; content:"Content-Length: 128|0D 0A|",fast_pattern,nocase; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; content:"|3B 20|MSIE|20|"; content:!"Accept-Language:"; http_client_body; pcre:"/[a-z]\x3d[a-f\d]{126}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; http_uri; content:".gif?action="; content:"&browser=",distance 0; content:"&osbuild=",distance 0; content:"&osprod=",distance 0; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:13; http_method; content:"POST"; http_uri; content:"/12/index.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_method; content:"GET"; http_header; content:"User-Agent: http://www.pershop.com.br/",fast_pattern,nocase; http_uri; content:".php"; http_header; content:!"Referer:"; content:!"Accept-"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - ALIZER"; flow:to_server,established; http_header; content:"User-Agent|3A 20|ALIZER|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Zusy inbound CNC response"; flow:to_client,established; file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|",fast_pattern; content:"] => ",within 20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[a-z\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33520; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; http_client_body; content:"&pcname=",fast_pattern,nocase; content:"hwid=",depth 5; content:"&mode=",within 50; content:"&system=",within 32; content:"&version=",within 60; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33521; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent - DNS Changer"; flow:to_server,established; http_header; content:"User-Agent|3A 20|DNS Check|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33522; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|",fast_pattern,nocase; http_uri; content:"/postinstall.php?"; content:"src=",within 5; content:"&medium=",within 15; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33523; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; http_uri; content:"/updateb.xml?",fast_pattern,nocase; content:"rnd="; content:"&spfail=",within 20; content:"&guid=",within 15; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33524; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"?uid="; content:"&context=",distance 0; content:"&mode=text",distance 0,fast_pattern; content:"&data=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<64; http_uri; content:"/check.action?iid="; content:"&kernel=",within 8,distance 32; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33646; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>100; http_method; content:"POST"; http_uri; content:"/submit.action?username="; content:"&password=",within 30; content:".tgz",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33647; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>100; http_uri; content:"/compiler.action?iid="; content:"&username=",within 10,distance 32; content:"&password=",within 30,distance 1; content:"&kernel=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33648; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro"; flow:to_server,established; http_header; content:"User-Agent: Google Omaha|0D 0A|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity; sid:33649; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Tinba outbound connection"; flow:to_server,established; http_method; content:"POST"; http_raw_uri; bufferlen:9; http_uri; content:"/preview/"; http_header; content:"Content-Length: 157|0D 0A|"; content:!"User-Agent|3A 20|"; http_client_body; content:"|00 80 00 00 00|",depth 5,offset 24; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1c159bdafa037be39ac062bdaeeb1f621/analysis/; classtype:trojan-activity; sid:33650; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Babar outbound connection"; flow:to_server,established; http_uri; content:"/bb/index.php"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSI 6.0|3B|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf/analysis/; classtype:trojan-activity; sid:33677; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FannyWorm outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|",fast_pattern,nocase; http_uri; content:"/ads/QueryRecord"; content:".html",within 25; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:33678; rev:3; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IMAGE Microsoft emf file download request"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF",depth 4,offset 40; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:33740; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; http_uri; content:"/install.ashx?id=",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; http_uri; content:"/ping.ashx?action=",fast_pattern,nocase; content:"&usid="; content:"&aff=",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/service/related?sector=",fast_pattern,nocase; http_header; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33822; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|",depth 9,offset 4; content:"|00 00|",within 2,distance 13; content:"|FF|",within 1,distance 9; content:"NTLMSSP|00 03 00 00 00|",within 100; content:"|00 00 00 00 40 00 00 00|",within 8,distance 24; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla"; content:" Loader|0D 0A|",within 150,fast_pattern; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:33833; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; http_header; content:"User-Agent|3A 20|"; content:" Pi/3.1415926|0D 0A|",within 150,fast_pattern; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:33834; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; http_header; content:"User-Agent|3A 20|"; content:" in my heart of heart.|0D 0A|",within 150,fast_pattern; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:33835; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:to_server,established; http_header; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)",fast_pattern,nocase; http_client_body; content:"uid=",depth 4; content:"&uinfo=",within 26; content:"&win=",distance 0; content:"&bits=",within 6,distance 3; content:"&build=",within 20,distance 8; metadata:impact_flag red,ruleset community; service:http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33851; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:to_server,established; http_header; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_client_body; content:"oprat=",depth 6; content:"&uinfo=",within 10,distance 23; content:"&win=",distance 0; content:"&vers=",within 6,distance 3; metadata:impact_flag red,ruleset community; service:http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33852; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"KrisR",depth 5; content:"|00 00 00|",within 3,distance 1; content:"|00 00 78 9C|",within 4,distance 2; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:33885; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.VBPasswordStealer variant outbound connection"; flow:to_server,established; http_uri; content:"/index.php?"; content:"action=add",fast_pattern; content:"&username=",distance 0; content:"&password=",distance 0; content:"&app=",distance 0; content:"&pcname=",distance 0; content:"&sitename=",distance 0; http_header; content:!"Accept"; content:!"Connection"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be783a511049d8e5006cac011/analysis/; classtype:trojan-activity; sid:34047; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; http_uri; content:"/installer_gate_client.php?",fast_pattern,nocase; content:"download_id="; content:"&mode=prechecking",distance 0; http_header; content:!"Accept"; content:!"Connection"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; http_uri; content:"/installer_gate_client.php?",fast_pattern,nocase; content:"download_id="; content:"&mode=getcombo",distance 0; content:"&offers=",distance 0; http_header; content:!"Accept"; content:!"Connection"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; http_method; content:"POST"; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|",fast_pattern,nocase; http_client_body; content:"|22|event_type|22|",offset 1; content:"|22|environment|22|",distance 0; content:"|22|machine_ID|22|",distance 0; content:"|22|result|22|",distance 0; content:"|22|failure_reason|22|",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; http_uri; content:"/report.php?"; content:"download_id=",distance 0; content:"&mode=",distance 0; content:"&combo_id=",distance 0; content:"&os_name=",distance 0; content:"&os_add=",distance 0; content:"&os_build=",distance 0; content:"&proj_id=",distance 0; content:"&offer_id=",distance 0; http_header; content:!"Connection"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Vitruvian",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; http_uri; content:"/inst?"; content:"hid="; content:"&sid=",distance 0; content:"&tr=",distance 0; content:"&a=",distance 0; content:"&adm=",distance 0; content:"&os=",distance 0; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; http_uri; content:"/inst?"; content:"sid="; content:"&st=",distance 0; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:2; )
alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Banload variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|",fast_pattern,nocase; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:ruleset community; reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|SearchProtect|3B|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:3; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_client,established; content:"|00 DE C5 45 99 14 1E F5 7E 56 78 DF 23 CE 8A 12|",fast_pattern,nocase; content:"LvtfOWStYYHNbdiE15aNsOyg"; metadata:impact_flag red,ruleset community; service:http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:34140; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|",fast_pattern,nocase; http_client_body; content:"|22|event_type|22|",depth 15,offset 1; content:"|22|installation_session_id|22|",within 100; content:"|22|environment|22|",distance 0; content:"|22|command_line|22|",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|",fast_pattern,nocase; http_client_body; content:"|22|encryptedKey|22|",depth 20,offset 1; content:"|22|encryptedData|22|",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; http_uri; content:"/ip/?client=sp",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:30<=>65; http_uri; content:"/atJs/v",fast_pattern; content:"/Client/",within 8,distance 1; http_header; content:!"Accept"; content:!"User-Agent"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; http_uri; content:"/cgi-bin/advert/getads.cgi?"; content:"did=",distance 0; http_header; content:"User-Agent|3A 20|mpck_",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<64; http_uri; content:"/check?iid="; content:"&kernel=",within 8,distance 32; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34261; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:>100; http_uri; content:"/compiler?iid="; content:"&username=",within 10,distance 32; content:"&password=",within 30,distance 1; content:"&kernel=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34262; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<64; http_uri; content:"/upload/module"; content:"build.tgz",within 9,distance 32; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34263; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP vBulletin XSS redirect attempt"; flow:to_server,established; http_uri; content:"/misc.php?v="; content:"&js=js",within 12; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack; sid:34287; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kraken outbound connection"; flow:to_server,established; http_uri; content:"/idcontact.php?"; content:"&steam=",within 35; content:"&origin=",within 10; content:"&webnavig=",within 12; metadata:impact_flag red,ruleset community; service:http; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34292; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/get_status.php?name=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34307; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/products/fupdates.php?"; content:"account=",distance 0; content:"&name=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34308; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/products/file_order"; content:".php?",within 8; content:"name=",distance 0; content:"&path=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34309; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/add_user.php?name="; content:"&user=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34310; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/new/"; content:"_flash",within 12; content:".php?",within 15; content:"name=",distance 0; content:"&serial=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34311; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/new/get_tree.php?"; content:"name=",distance 0; content:"&date=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34312; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/new/add_tree.php?"; content:"name=",distance 0; content:"&date=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34313; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/new/all_file_info1.php?"; content:"name=",distance 0; content:"&user=",distance 0; content:"&file=",distance 0; content:"&type=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34314; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/flupdate/"; content:".html",within 7; pcre:"/\/flupdate\/\d\.html/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34315; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/gget_rtemp.php?n=",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|SK",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34316; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; http_uri; content:"/aadd_rtemp.php?n=",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|SK",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34317; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<130; http_uri; content:".php?",nocase; content:"|3D|",within 1,distance 1; http_header; content:"Cache-Control: no-cache|0D 0A 0D 0A|",nocase; content:!"|0D 0A|Accept-"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|",fast_pattern,nocase; http_client_body; content:"|3D|",depth 2,offset 1; pcre:"/^[a-z]\x3d[a-f\d]{80,140}$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Magento remote code execution attempt"; flow:to_server,established; http_uri; content:"/Adminhtml_"; content:"forwarded=",distance 0; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Beebone outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|",fast_pattern,nocase; content:"GET"; pcre:"/GET \/[a-z]{8,12}\?[a-z] HTTP\/1.1/i"; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/b06c6ac1174a6992f423d935ccba6f34f107b6591768a743d44d66423312d33a/analysis/; classtype:trojan-activity; sid:34366; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:16; http_uri; content:"/arquivo/vrs.txt",fast_pattern,nocase; http_header; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34367; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:19; http_uri; content:"/arquivo/cookie.txt",fast_pattern,nocase; http_header; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34368; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/poppxr/popi.html",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34452; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_client_body; content:"sname=",depth 6; pkt_data; content:".php HTTP/1.0|0D 0A|"; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34453; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25] ( msg:"MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection"; flow:to_server,established; content:"POST / HTTP/1.0|0D 0A|Host: ",depth 28; content:"Content-type: application/x-www-form-urlencoded|0D 0A|Content-Length: ",within 100; content:"|0D 0A 0D 0A 0F 0F 09|",within 25,fast_pattern; content:!"User-Agent: ",nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/file/9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f8321069212e0cd67a8/analysis/1430996623; classtype:trojan-activity; sid:34461; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:1; http_header; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| rv:7.0.1) Gecko/20100101 Firefox/7.0.1|0D 0A|",fast_pattern,nocase; content:"Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.8,*/*|3B|q=0.9|0D 0A|"; content:"Accept-Language: en-us,en|3B|q=0.5|0D 0A|",distance 0; content:"Accept-Encoding: gzip, deflate|0D 0A|",distance 0; content:"Accept-Charset: ISO-8859-1,utf-8|3B|q=0.7,*|3B|q=0.7|0D 0A|",distance 0; content:"Connection: close|0D 0A 0D 0A|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/file/84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56a1b1de82f785a43/analysis/1430849540/; classtype:trojan-activity; sid:34462; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:to_server,established; isdataat:15; isdataat:!16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|",depth 16,fast_pattern,fast_pattern_offset 0,fast_pattern_length 12; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection"; flow:to_server,established; isdataat:15; isdataat:!16; content:"|00 00 00 11 D0 00 00 00|",depth 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_uri; content:"/popkx3/popi.html",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d6beeae945d570d98784bdea68310ddef17f4a03534632dec48c691677c67402/analysis/; classtype:trojan-activity; sid:34622; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - EMERY - Win.Trojan.W97M"; flow:to_server,established; http_header; content:"User-Agent|3A 20|EMERY|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d0f0a446162c6dafc58e4034f4879275d3766f20336b6998cb5a5779d995a243/analysis/; classtype:trojan-activity; sid:34843; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|",within 1,distance 2; content:"|30 82|",within 2,distance 9; content:"|30 82|",within 2,distance 2; content:"|A0 03 02 01 02 02|",within 6,distance 2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|",within 22; content:"|31|",within 1,distance 5; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; content:"|30|",within 10,distance 3; content:"|17 0D|",within 2,distance 1; content:"Z|17 0D|",within 3,distance 12; content:"Z|30|",within 2,distance 12; content:"|31|",within 1,distance 1; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; content:"|30 82|",within 9,distance 2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|",within 17,distance 2; content:"|30 82|",within 2,distance 3; content:"|02 82|",within 2,distance 2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/vbulletin/post.php?qu=",fast_pattern,nocase; http_header; content:!"User-Agent:"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:2; )
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Critroni certificate exchange"; flow:to_client,established; content:"|00 D3 62 47 DA 62 4A A1 34|"; content:"|3B 02 49 86 4B DF D7 D7 6C E2 2F 36 81 01 24 3F|",within 400; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/af7a9f581653394955bec5cf10a7dbafbf64f42d09918807274b5d25849a1251/analysis/; classtype:trojan-activity; sid:34917; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; http_client_body; content:"ID_MAQUINA=",fast_pattern,nocase; content:"&VERSAO=",nocase; content:"&WIN=",within 50,nocase; content:"&NAVEGADOR=",within 200,nocase; content:"&PLUGIN=",within 50,nocase; content:"&AV=",within 50,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7816d2b6507950177cf1af596744abe523cad492f4d78e230962602b1b269044/analysis/; classtype:trojan-activity; sid:34931; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; http_uri; content:"/prok/"; http_header; content:"Content-Type: multipart/form-data, boundary=7DF051D",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:16; http_method; content:"POST"; http_uri; content:"/forum/image.php",fast_pattern,nocase; http_header; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; content:"|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/38c7d403660c98ceb0246192d7d89cd66e126c6721008f6b347d4d53b4dc063b/analysis/; classtype:trojan-activity; sid:34958; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; http_client_body; content:"texto=%0D%0A",depth 12; http_uri; content:"/consulta"; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/33b598e185ba483c5c1571651a03b90359fb1f56b55e902c7038baf315c5dad9/analysis/; classtype:trojan-activity; sid:34959; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Sendori-Client-Win32",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:43; http_uri; content:"/imagens/nacional/new/1/2/3/br/contador.php",fast_pattern,nocase; http_header; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34994; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banbra HTTP Header Structure"; flow:to_server,established; http_header; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|",fast_pattern,nocase; pkt_data; content:".php HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; http_uri; content:".php"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34995; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent-ALPW variant outbound connection"; flow:to_server,established; http_header; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|",fast_pattern,nocase; http_client_body; content:"A=",depth 2; http_uri; content:".php"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6452bea82dbef796eaed8d2403ffa7141e4379bb052fdb7b63a21400c04b0334/analysis/; classtype:trojan-activity; sid:34996; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Graftor variant HTTP Response"; flow:to_client,established; isdataat:!53; content:"HTTP/1.1 200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:",within 15,fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:9; http_uri; content:"/diff.php",fast_pattern,nocase; http_header; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_client_body; content:"|A0 CD 37 A4 5B|",depth 5; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35030; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:21; http_method; content:"POST"; http_uri; content:"/siganofi/rounder.php",fast_pattern,nocase; http_header; content:"Cache-Control: no-cache"; content:"Pragma|3A| no-cache|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.www.virustotal.com/en/file/857ae380e297f840b88146ec042286ef459a1c4dc53680b117a9677b189e6c68/analysis/; classtype:trojan-activity; sid:35076; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ursnif outbound connection"; flow:to_server,established; http_uri; content:"/photoLibrary/?user="; content:"&ver="; content:"&os2=",fast_pattern,nocase; content:"&type="; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35312; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Cryptowall click fraud response"; flow:to_client,established; file_data; content:"2|7C|http://",depth 9; content:"/search.php|7C|http://",within 60; content:"|7C|Mozilla/4.0 ",within 100; content:"/r.php?key=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/3b78dd891a81c18cffa5031e52f9c2329e2986ba83c5c75a67dc4ae3d1f0bec3/analysis/; classtype:trojan-activity; sid:35344; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Elise.B variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 8.0)",fast_pattern,nocase; http_raw_uri; bufferlen:28; http_uri; content:"/page_",depth 6,offset 9,nocase; content:".html",within 5,distance 8,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04/analysis/; classtype:trojan-activity; sid:35353; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bedep initial outbound connection"; flow:to_server,established; http_client_body; content:"protocolVersion|22|",offset 2; content:"|22|rev|22|",within 10; content:"|22|buildId|22|",within 15; content:"|22|tags|22 3A|",distance 0; content:"|22|type|22 3A 22|",within 10; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35386; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Andromeda initial outbound connection"; flow:to_server,established; http_uri; content:"/forum.php",depth 10; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|",fast_pattern,nocase; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35387; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Andromeda download request"; flow:to_server,established; http_uri; content:".mod"; pcre:"/[a-z]{2}_[a-z0-9]{8}\.mod/i"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|",fast_pattern,nocase; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35388; rev:2; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 01 00 51 02|"; content:"|55 04 06 13 02|XX",fast_pattern,nocase; content:"|55 04 07 0C 0C|Default City"; content:"|55 04 0A 0C 13|Default Company Ltd",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35393; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac payment page request"; flow:to_server,established; http_uri; content:".php?user_code="; content:"&user_pass=",fast_pattern,nocase; http_header; content:"Referer|3A|"; content:"tor",within 30,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35394; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:"/order.php"; http_header; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_client_body; content:"|A0 CD 37 A4 5B|",depth 5,fast_pattern; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35549; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Potao outbound connection"; flow:to_server,established; http_client_body; content:"|3C|methodName|3E|10a7d030-1a61-11e3-beea-001c42e2a08b|3C 2F|methodName|3E|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88/analysis/; classtype:trojan-activity; sid:35733; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; http_uri; content:"/BRS_03B_haveBackupFile_fileRestore.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,59406; reference:cve,2013-3071; classtype:attempted-admin; sid:35734; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Wild Neutron potential exploit attempt"; flow:to_server,established; http_raw_uri; bufferlen:>25; http_uri; content:".swf?"; content:"styleid=",distance 0; content:"&langid=",distance 0; content:"&sid=",distance 0; content:"&d=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:35745; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"/atomic.php",fast_pattern,nocase; http_header; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_client_body; content:"|A0 CD 37 A4 5B|",depth 5; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/; classtype:trojan-activity; sid:35746; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.IsSpace outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/SNews.asp?HostID=",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35749; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/STTip.asp",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35750; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|",depth 4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:35852; rev:9; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-IDENTIFY OLE Document upload detected"; flow:to_server,established; file_data; content:"Content-Disposition|3A|",nocase; content:"Form-data|3B|",within 20,nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|",within 200,fast_pattern; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:http; classtype:misc-activity; sid:36058; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; http_uri; content:"/rp?v=",fast_pattern,nocase; http_header; content:!"User-Agent:"; http_uri; content:"&u="; content:"&c=",within 3,distance 32; content:"&f=",distance 0; content:"&a=",distance 0; content:"&d=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36064; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; http_uri; content:"/offers_new?v=",fast_pattern,nocase; http_header; content:!"User-Agent"; http_uri; content:"&a="; content:"&i=",distance 0; content:"&f=",distance 0; content:"&u=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36065; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|",fast_pattern,nocase; http_client_body; content:"windows=",depth 8; content:"&av=",within 50; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1fbe27602da7de2ce95254ffd409f70635179371354b4914997de273f6be9422/analysis/; classtype:trojan-activity; sid:36066; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established; http_uri; content:"/purchase.php?a=",fast_pattern,nocase; content:"&v="; content:"&u=",distance 0; content:"&bgload=",within 8,distance 32; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f4c10d33b8c46cc7922a6eebc9f14858a01b2f573ee99dd1dc02a4534b537e18/analysis; classtype:trojan-activity; sid:36107; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nimisi variant outbound connection"; flow:to_server,established; http_header; content:!"User-Agent"; http_uri; content:"/logs.php?&prog=",fast_pattern,nocase; content:"&url="; content:"&user=",distance 0; content:"&pass=",distance 0; content:"&comp=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a1f8f8b509001e5bca811a168455a89517000a2534d271018c0c87c6210bd69f/analysis/; classtype:trojan-activity; sid:36108; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Yakes variant dropper"; flow:to_server,established; http_uri; content:"/document.php?rnd=",fast_pattern,nocase; content:"&id=",depth 4,offset 22; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ff0ae81f0dece17baf8480d866c9462c9f3d49be9adde8b16f105e244eb31d67/analysis/; classtype:trojan-activity; sid:36202; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|",within 1,distance 2; content:"|30 82|",within 2,distance 9; content:"|30 82|",within 2,distance 2; content:"|A0 03 02 01 02 02|",within 6,distance 2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|",within 22; content:"|31|",within 1,distance 5; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; byte_extract:1,0,string_size,relative; content:"|30|",within 1,distance string_size; content:"|17 0D|",within 2,distance 1; content:"Z|17 0D|",within 3,distance 12; content:"Z|30|",within 2,distance 12; content:"|31|",within 1,distance 1; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; byte_extract:1,0,string_size,relative; content:"|30 82|",within 2,distance string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|",within 17,distance 2; content:"|30 82|",within 2,distance 3; content:"|02 82|",within 2,distance 2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|",within 1,distance 2; content:"|30 82|",within 2,distance 9; content:"|30 82|",within 2,distance 2; content:"|A0 03 02 01 02 02|",within 6,distance 2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|",within 22; content:"|31|",within 1,distance 5; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; content:"|30|",within 10,distance 3; content:"|17 0D|",within 2,distance 1; content:"Z|17 0D|",within 3,distance 12; content:"Z|30|",within 2,distance 12; content:"|31|",within 1,distance 1; content:"|30|",within 1,distance 1; content:"|06 03 55 04 03 0C|",within 6,distance 1; content:"|30 82|",within 9,distance 2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|",within 17,distance 2; content:"|30 82|",within 2,distance 3; content:"|02 82|",within 2,distance 2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; http_uri; content:"/wp-admin/"; pkt_data; content:".exe|20|HTTP/1.",fast_pattern,nocase; http_uri; pcre:"/\.exe$/"; metadata:ruleset community; service:http; classtype:trojan-activity; sid:36914; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kovter outbound connection"; flow:to_server,established; http_uri; content:"/counter/?",fast_pattern,nocase; http_header; content:"UA-CPU"; content:"MSIE 7.0|3B|"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/e3da9c7f20e7f24891e0dec594dad6d9deebee145153611a5c05c69593284a27/analysis/; reference:url,www.virustotal.com/en/file/9d6b1bd74848dd0549ad3883b7292d3ba0a4fa06d0aaf562032b0bf6dc198249/analysis/; classtype:trojan-activity; sid:37045; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_client_body; content:"=@eval(base64_decode($_POST",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1100; reference:url,attack.mitre.org/techniques/T1132; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established; http_uri; content:"/rss/feed/stream",fast_pattern,nocase; http_client_body; content:"|3F|",depth 1,offset 2; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6ADFAFFEA064A9F89064FBA300CDFCD7634CFD06802BF250FA1B070CABFBEBF5/analysis/; classtype:trojan-activity; sid:37467; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; http_uri; content:"/Recoveries/Browser.txt",fast_pattern,nocase; http_header; content:!"User-Agent"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37521; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; http_uri; content:"/Recoveries/Mail.txt",fast_pattern,nocase; http_header; content:!"User-Agent"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37522; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; http_uri; content:"/Recoveries/OSKey.txt",fast_pattern,nocase; http_header; content:!"User-Agent"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37523; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Engr variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:7<=>8; http_uri; content:".php"; http_header; content:"boundary=Xu02=$",fast_pattern,nocase; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/54f6600db99fdab31453f3e23e8fb080438cd1ec36b6fc2868ff86cf88f14bb0/analysis/; classtype:trojan-activity; sid:37552; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Symmi variant dropper download connection"; flow:to_client,established; file_data; content:"|A6 4D AA E1 65 52 A5 E1 E3 58 76 E1 81 4D A5 E1 CE 48 9C E1 BB 4D A5 E1 CE 48 A9 E1 A1 4D A5 E1|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37646; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; http_uri; content:"/vip.jpg",fast_pattern,nocase; http_raw_uri; bufferlen:8; http_header; content:"User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37647; rev:2; )
alert udp any 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|",depth 2,offset 4; content:"|00 00 01 00 01|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5; )
alert udp any 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|",depth 2,offset 4; content:"|00 00 1C 00 01|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dridex dropper variant outbound connection"; flow:to_server,established; http_uri; content:"/gt.jpg?",fast_pattern; content:"=",within 1,distance 15; http_header; content:"bytes=6433-"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8a80760f60f42ce5574a8020c08123a6a8fc2a12d28e8802f3d5101f72c2ad0c/analysis/; classtype:trojan-activity; sid:37733; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 ( msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; content:"|03 00|",depth 2; content:"|08|",distance 2; content:"|05|",distance 4; content:"MERA RTU",within 100,fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 ( msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; content:"|03 00|",depth 2; content:"|08 02|",within 2,distance 2; content:"EE|A8 C6|3",within 80; content:"ooh323",distance 6,fast_pattern; metadata:ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; http_client_body; content:"post=",depth 5,fast_pattern; http_uri; content:"/index.php"; http_header; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/522e5d4ea0771f5c0bc300c2d66a0445a66ae85bd4b50c21a502365db0a638d9/analysis/; classtype:trojan-activity; sid:37816; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_uri; content:"/lockycrypt.rar",fast_pattern,nocase; http_header; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37834; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_uri; content:"/34gf5y/r34f3345g",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37835; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; http_uri; content:"|2F 70 6F 63|"; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:misc-activity; sid:37963; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|",fast_pattern,nocase; content:"Pragma|3A 20|no-cache"; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_method; content:"POST"; http_uri; content:"/photos/photo.asp"; http_header; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38255; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; http_method; content:"CONNECT"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|",fast_pattern,nocase; content:"Pragma|3A 20|no-cache"; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; content:"Accept: */*"; content:"Accept-Encoding|3A| identity"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38256; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|",fast_pattern,nocase; content:"Pragma|3A 20|no-cache"; content:"Cache-Control|3A 20|no-cache"; http_method; content:"GET"; http_uri; content:"/Query.asp?loginid="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38257; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|",fast_pattern,nocase; content:"Pragma|3A 20|no-cache"; content:"Cache-Control|3A 20|no-cache"; http_method; content:"POST"; http_uri; content:"/login1.asp"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38258; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_method; content:"POST"; http_uri; content:"/main.php",fast_pattern,nocase; bufferlen:9; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; content:!"|0D 0A|Referer|3A|"; content:!"|0D 0A|Cookie|3A|"; http_raw_header; content:"Content-Length|3A 20|"; byte_test:10,>,95,0,relative,string,dec; byte_test:10,<,115,0,relative,string,dec; pkt_data; content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/33ab0605b83356e065459559bb81ec5e7464be563059fce607760517fedaf603/analysis/; classtype:trojan-activity; sid:38331; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Linux.Trojan.Bifrose outbound connection"; flow:to_server; content:"|9B 4F B0 75 E2 76 96 04 5A F1 F9 43 D4 A2 6B|",depth 15,offset 4; content:"|76 13 85 45 17 1B|",within 6,distance 1; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0a0d7bed3c8aa0e0e87e484a37e62b0bd0e97981b0bea55f6f3607316831ba5d/analysis/; classtype:trojan-activity; sid:38333; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|43 00 00 00 05|",depth 5; isdataat:!79; metadata:impact_flag red,ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38353; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established; content:"|01 00 00 00 3C|",depth 5; isdataat:4; isdataat:!5; metadata:impact_flag red,ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38354; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 01|",depth 5; isdataat:4; isdataat:!5; metadata:impact_flag red,ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established; content:"|01 00 00 00 3D|",depth 5; isdataat:4; isdataat:!5; metadata:impact_flag red,ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38357; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established; content:"|01 00 00 00 41|",depth 5; isdataat:!9; metadata:impact_flag red,ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38359; rev:3; )
alert tcp $EXTERNAL_NET 4043 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|",distance 3; content:"|55 04 07 0C 06|Lisbon"; content:"|55 04 0A 0C 10|Souppi Otiop SEM",distance 6; content:"|55 04 03 0C 0E|wthcethesmw.ph"; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38378; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_client,established; file_data; content:"FeintedEscalator",fast_pattern,nocase; content:"InkingGrange"; metadata:impact_flag red,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38379; rev:2; )
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_server,established; file_data; content:"FeintedEscalator",fast_pattern,nocase; content:"InkingGrange"; metadata:impact_flag red,ruleset community; service:smtp; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38380; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"USER obitex@benfoods.tk|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"PASS Goodman1986|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"STOR Screenshot from|3A 20|",fast_pattern; content:"|29|.png",within 80; metadata:impact_flag red,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; http_raw_uri; bufferlen:16; http_uri; content:"/geoip/geoip.php",fast_pattern,nocase; http_header; content:!"Accept"; content:!"User-Agent"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; content:"|7C 7C|CM01|7C|CM02|7C|CM03|7C|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/efd9036e675507da76cd0946408aedb814aff9da62d23de4f0680a4e7186a75c/analysis/1460471360/; classtype:trojan-activity; sid:38509; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established; http_raw_uri; bufferlen:11; http_method; content:"POST"; http_uri; content:"/api?upload",fast_pattern,nocase; http_header; content:"Expect|3A 20|"; content:!"User-Agent"; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f846653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510; rev:3; )
alert udp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:9; content:"hi00",fast_pattern,nocase; pcre:"/hi00[0-9]{5}/"; detection_filter:track by_src,count 1000,seconds 1; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38514; rev:4; )
alert udp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|39 64 30 33 66 65 66 35 30 30 62 39 30 30 34 36 32 37 31 31 30 33 32 35|",fast_pattern,nocase; detection_filter:track by_src,count 1000,seconds 1; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38515; rev:4; )
alert udp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|61 63 36 62 66 34 64 30 66 35 36 30 30 30 34 36 32 37 31 31 30 33 39 39|",fast_pattern,nocase; detection_filter:track by_src,count 1000,seconds 1; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38516; rev:4; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC binary download while video expected"; flow:to_client,established; http_header; content:"Content-Type|3A 20|video/quicktime|0D 0A 0D 0A|"; file_data; content:"MZ",within 2; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:impact_flag red,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38517; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; http_uri; content:"/News/gate.php",fast_pattern,nocase; http_header; content:"Connection|3A 20|Keep-Alive"; content:!"Accept"; content:!"Content-Type"; content:"User-Agent|3A 20|"; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; http_uri; content:"/News/gate.php",fast_pattern,nocase; http_client_body; content:"=",depth 4; http_header; content:"User-Agent|3A 20|"; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; http_uri; content:"/News/gate.php?",fast_pattern,nocase; http_client_body; content:"<br><br><b><big>"; http_uri; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; http_uri; content:"/News/gate.php?",fast_pattern,nocase; http_client_body; content:"JFIF"; http_uri; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1",fast_pattern,nocase; http_uri; content:"/plugins/"; pcre:"/\/plugins\/[a-z]{3,10}\.p/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php",fast_pattern,nocase; http_client_body; content:"pc=",nocase; content:"&admin=",distance 0,nocase; content:"&os=",distance 0,nocase; content:"&hid=",distance 0,nocase; content:"&arc=",distance 0,nocase; http_header; content:"User-Agent|3A 20|"; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:4; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; http_stat_code; content:"200"; http_stat_msg; content:"OK"; pkt_data; content:">404 Not Found<",fast_pattern,nocase; content:" requested URL / was not found "; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; http_uri; content:"/post.php?",fast_pattern,nocase; content:"pl="; content:"&education=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt"; flow:to_server,established; http_method; content:"HEAD"; pkt_data; content:".bin",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Microsoft BITS"; pkt_data; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; content:!"Content-Length"; http_uri; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established; content:".bin",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Microsoft BITS"; pkt_data; content:"Accept-Encoding|3A 20|identity|0D 0A|"; http_header; content:"If-Unmodified-Since"; content:"Range"; http_uri; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566; rev:3; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE RFT document malformed header"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn",depth 7; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38580; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE RFT document malformed header"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn",depth 7; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38581; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection"; flow:to_server,established; content:"/img/script.php?",fast_pattern,nocase; http_header; content:"Accept|3A 20|*/*|0D 0A|"; content:"UA-CPU|3A 20|"; content:!"Referer"; content:!"Accept-Language"; http_uri; pcre:"/\/img\/script\.php\x3f.*\.mov$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38584; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; http_uri; bufferlen:139<=>200; pkt_data; content:"/wp-includes.php?d=",fast_pattern,nocase; http_header; content:"Accept|3A 20|*/*|0D 0A|"; pkt_data; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38585; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>180; content:"/api.php?d=",fast_pattern,nocase; http_header; content:"Accept|3A 20|*/*|0D 0A|"; content:"Connection|3A 20|close|0D 0A|"; content:!"User-Agent"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38586; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt"; flow:to_client,established; http_stat_code; content:"307"; http_stat_msg; content:"Temporary Redirect"; pkt_data; content:"Set-Cookie|3A 20|DFSCOOK=",fast_pattern,nocase; content:"Location: "; content:"/api.php?d=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38587; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; http_uri; bufferlen:>185; content:".php?d=",fast_pattern,nocase; http_header; content:"Accept|3A 20|*/*"; content:!"User-Agent"; pkt_data; content:!"Referer"; http_uri; pcre:"/\.php\x3fd=[A-F0-9]{174}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38588; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; http_header; content:"User-Agent: BLP_bbot",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; gid:1; sid:38594; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.UP007 variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:"/index.asp",fast_pattern,nocase; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; content:"Accept-Language|3A 20|en-us|0D 0A|"; http_client_body; content:"UP007"; metadata:impact_flag red,ruleset community; service:http; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma/; classtype:trojan-activity; sid:38603; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Qakbot variant network speed test"; flow:to_server,established; http_uri; content:"/random750x750.jpg?x=",fast_pattern,nocase; content:"&y="; http_header; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"Accept-"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38606; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Qakbot variant outbound connection"; flow:to_server,established; http_uri; bufferlen:30<=>35; http_cookie; content:"btst="; content:"snkz="; http_header; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|",fast_pattern,nocase; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"Connection"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38607; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.RockLoader variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:5; http_uri; content:"/api/",fast_pattern,nocase; http_header; content:"Content-Type|3A 20|octet-stream"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:!"User-Agent"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/d3cd3630b5709535f9bfa59c4ec75c8061262985919a43a175ec9d7e15c9419a/analysis/1461598531/; classtype:trojan-activity; sid:38608; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download"; flow:to_client,established; content:"GODZILLA=",fast_pattern,nocase; http_cookie; content:"GODZILLA="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f597634ff5e2623baff35d99bfdb2aac1725c9f49805b4903c13093c43172cb7/analysis/1461593386; classtype:trojan-activity; sid:38610; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data"; flow:to_client,established; http_header; content:"Content-Type|3A 20|text/plain"; file_data; content:"MZ",depth 2; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy max-detect-ips drop,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|",distance 3; content:"|55 04 07 0C 0B|Ouagadougou"; content:"|55 04 0A 0C 16|Tiongon Wledb A.M.B.A.",distance 6; content:"|55 04 03 0C 10|ina.themanyag.zm",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38620; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|",distance 3; content:"|55 04 07 0C 09|Bujumbura"; content:"|55 04 0A 0C 10|Wiqur Hitin ehf.",distance 6; content:"|55 04 03 0C 11|puppeitursilth.cz",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38621; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; isdataat:7; isdataat:!8; content:"|4C 48 42 80 71 C2 A5 DF|",depth 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d9053911607672076e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection"; flow:to_server,established; http_uri; content:"/log.php?",fast_pattern,nocase; http_header; content:"UA-CPU"; content:"Accept|3A 20|*/*"; content:!"Referer"; http_uri; pcre:"/\/log\.php\x3f[a-z]\x3d\d{3}/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/11180a0ff4576e0dbbe48d77ed717e72678520516ff13f523cad832d1b9fa9ac/analysis/1462906326/; classtype:trojan-activity; sid:38887; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:13; pkt_data; content:"/userinfo.php",fast_pattern,nocase; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2d766d57bc549b3ac7b87b604e2103318eaf41b526086ffe0201d5778521c1b6/analysis/1462906540/; classtype:trojan-activity; sid:38888; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; http_uri; content:".php?fname=Hawkeye_Keylogger",fast_pattern,nocase; content:"&data="; http_header; content:!"User-Agent"; content:!"Accept"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.Kirts initial registration"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?SGF3a0V5ZSBMb2dnZXIg",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:smtp; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38891; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data; content:"Passwords Recorded On ",fast_pattern; content:"Time of Recording:",within 20,distance 22; content:"IP Address",within 12,distance 15; metadata:impact_flag red,ruleset community; service:ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/installer.php?"; pkt_data; content:"CODE=",fast_pattern,nocase; http_uri; content:"UID="; content:"action="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/optin.php?",fast_pattern,nocase; pkt_data; content:"f="; http_uri; content:"quant="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; http_uri; content:"/info.php?"; pkt_data; content:"quant=",fast_pattern,nocase; http_uri; content:"f="; content:"h="; content:"size="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:2; )
alert tcp any any -> any $HTTP_PORTS ( msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:to_server,established; http_header; content:"User-Agent|3A| "; content:"sleep(",fast_pattern,nocase; pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:<31; http_header; content:"Accept|3A 20|*/*|0D 0A|UA-CPU|3A 20|",fast_pattern,nocase; content:"Connection|3A 20|Keep-Alive|0D 0A|"; content:"Accept-Encoding|3A 20|gzip, deflate|0D 0A|"; content:!"Referer"; http_uri; pcre:"/\/[a-z0-9]{8,10}\x3f[A-Za-z]{7,10}\x3d[A-Za-z]{6,10}/"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e0f8b6fd78c724b688f6467baf37f08c5ed198ea1b4224f31f50c8acbad49742/analysis/; classtype:trojan-activity; sid:39064; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|3B 00 00 00 05|",depth 5; isdataat:!64; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection"; flow:to_server,established; content:"=P4CK3T=",depth 32; content:"8_=_8"; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39106; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection"; flow:to_client,established; content:"=P4CK3T=",depth 32; content:"8_=_8"; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39107; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|",distance 2; content:"|03 01|",distance 3; content:"|55 04 06 13 02|FR"; content:"|55 04 0A 13 0C|assylias.Inc",distance 6; content:"|55 04 03 13 08|assylias",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/45e8df88b177cec3972f36284290eab652fb21806ef7e9575be853fb30528f28/analysis/; classtype:trojan-activity; sid:39159; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|",distance 2; content:"|03 01|",distance 3; content:"|55 04 06 13 02|US"; content:"|55 04 08 13 0A|California",distance 6; content:"|55 04 07 13 0E|Redwood Shores",distance 6; content:"|55 04 0A 13 14|Oracle America, Inc.",distance 6; content:"|55 04 0B 13 13|Code Signing Bureau",distance 6; content:"|55 04 03 13 14|Oracle America, Inc.",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/9d54565f8fb7cf50df11bf9745f7efd04a49abb03e85a3aafbf9a5b5fcd065c9/analysis/; classtype:trojan-activity; sid:39160; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|",distance 3; content:"|55 04 06 13 02|BN"; content:"|55 04 07 0C 13|Bandar Seri Begawan",distance 6; content:"|55 04 0A 0C 12|Cowchi Aromep LTD.",distance 6; content:"|55 04 03 0C 17|tsre131.eollaieefi.jprs",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39163; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|",distance 3; content:"|55 04 06 13 02|PW"; content:"|55 04 07 0C 08|Melekeok",distance 6; content:"|55 04 0A 0C 0E|Merwh Whena NL",distance 6; content:"|55 04 03 0C 16|pepa634.omeewengreq.mz",distance 6; metadata:impact_flag red,ruleset community; service:ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39164; rev:2; )
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] ( msg:"MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection"; flow:to_server,established; content:"=0D=0A=0D=0A",fast_pattern,nocase; content:"iSpy Keylogger"; content:"Computer Information"; content:"Username:",within 30; content:"Installed",within 50; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:3; )
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] ( msg:"MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection"; flow:to_server,established; content:"=0D=0A",fast_pattern,nocase; content:"iSpy Keylogger"; content:"=0D=0ABrowser"; content:"=0D=0AWebsite",within 70; content:"=0D=0AUsername",within 70; content:"=0D=0APassword",within 70; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Qbot variant outbound connection"; flow:to_server,established; http_uri; content:"zwlviewforumogaf.php",fast_pattern,nocase; http_header; content:"Host|3A| a.topgunnphoto.com"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480/analysis/1463667519/; classtype:trojan-activity; sid:39411; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|",depth 6; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39526; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|",depth 6; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39527; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39528; rev:4; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39529; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 27 C7 CC 6B C2 FD 13 0E|",depth 12; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 D7 75 FF F7 C7 62 B9 82|",depth 12; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00|",depth 4; byte_test:1,>,2,0,relative; content:!"|0A|",within 1,distance 1; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 AD|",depth 5; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 86 CC 02 89 8F F7 A6 67|",depth 12; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|",depth 28; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|",depth 28; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|",depth 28; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 F5 13 89 53|",depth 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 2B FF 4B F4|",depth 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt"; flow:to_server,established; isdataat:51; isdataat:!52; content:"|30 00 00 00 2B FF 4B F4|",depth 8; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Zeus variant inbound connection"; flow:to_client,established; http_header; content:"attachment|3B|"; content:"filename="; content:"/us.xml",within 20,fast_pattern; content:"Content-Type|3A 20|application/octet-stream|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/292c12a4c9cf8724c7bfa9ec73e1b703bd51720ea18cd4528e9be516d05b5628/analysis/1468961317/; classtype:trojan-activity; sid:39705; rev:4; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; http_header; content:"Content-Type|3A 20|image/",fast_pattern,nocase; file_data; content:"MZ",depth 2; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt"; flow:to_server,established; http_header; content:"|0A|Proxy|3A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; reference:cve,2016-5388; reference:url,httpoxy.org; classtype:web-application-attack; sid:39737; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Trans variant outbound connection"; flow:to_server,established; http_uri; content:"/site/images/banners/casecor21.gif",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a4c1234bb748f9bcabeb9ab990614fd4c1035135c5f5068fd42bace4b75fff0e/analysis/; classtype:trojan-activity; sid:39738; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; http_uri; content:"/gate.php",fast_pattern,nocase; http_client_body; content:"GUID=",depth 122; content:"BUILD=",depth 122; content:"INFO=",depth 122; content:"IP=",depth 122; content:"TYPE=",depth 122; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48/analysis/1469201551/; classtype:trojan-activity; sid:39800; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 900 ( msg:"MALWARE-CNC Win.Trojan.Spyrat variant outbound connection"; flow:to_server,established; content:"myversion|7C|2.5.2.",depth 19; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:39801; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt",nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}",distance 0,nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:39903; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] ( msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger |7C|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:"/data/info.php",fast_pattern,nocase; http_header; content:"x-requested-with: XMLHttpRequest"; content:"Referer|3A| http|3A|"; content:"/data",within 25; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f29ce76169727ff5a43ef7baa5c4e04f7d3302189e3d2a31cfc9dec39e84ad03/analysis/; classtype:trojan-activity; sid:40011; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:",fast_pattern,nocase; content:"?",within 15; content:"<",within 100; content:"location",nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|",depth 4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:40035; rev:10; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|",depth 4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:40036; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src,count 200,seconds 1; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:5; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; http_uri; content:"/geoip.php?bdr=",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:2; )
alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any ( msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|",depth 8,offset 16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2016-6415; reference:url,attack.mitre.org/techniques/T1020; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:6; )
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] ( msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|",depth 8,offset 8; content:"|00 00 00 01 00 00 00 01|",depth 8,offset 32; content:"|01 01 04 01|",within 4,distance 4; content:"|80 02 00 01 80 04 00 01 00 06|",distance 0,fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5; )
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] ( msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|",depth 8,offset 8; content:"|00 00 00 01 00 00 00 01|",depth 8,offset 32; content:"|01 01 04 01|",within 4,distance 4; content:"|80 02 00 02 80 04 00 01 00 06|",distance 0,fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Perseus"; flow:to_server,established; http_header; content:"User-Agent|3A| bUQ8QmvUpI57udWFxQHPkuyKDfc3T8u5",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40251; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Perseus variant outbound connection"; flow:to_server,established; http_client_body; content:"mashine=",fast_pattern,nocase; content:"publickey="; content:"user="; content:"os="; content:"processor="; content:"mac="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40252; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt"; flow:to_server,established; http_uri; content:"/icloudsyncd",fast_pattern,nocase; http_header; content:"Accept|3A 20|*/*"; content:!"User-Agent|3A 20|"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40260; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Satana ransomware outbound connection"; flow:to_server,established; http_uri; content:"/add.php",fast_pattern,nocase; http_client_body; content:"id="; content:"code="; content:"sdata="; content:"name="; content:"md5="; content:"dlen="; http_header; content:!"Connection"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/1477327210/; classtype:trojan-activity; sid:40541; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection"; flow:to_server,established; http_uri; content:"/victim.php?info=",fast_pattern,nocase; content:"&ip="; content:"info="; http_header; content:"User-Agent|3A 20|Python-urllib/"; content:!"Accept"; content:!"Connection"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e/analysis/1477329470/; classtype:trojan-activity; sid:40549; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt"; flow:to_server,established; http_uri; content:"/images/",fast_pattern,nocase; content:".rar"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40550; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt"; flow:to_server,established; http_uri; content:"/LetsGo.php?A=",fast_pattern,nocase; content:"Sytem="; content:"qual="; http_header; content:!"Accept"; content:!"referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40551; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.iSpy variant outbound connection"; flow:to_server,established; http_uri; content:"iSpyKelogger",fast_pattern,nocase; http_client_body; content:"gate="; content:"token=",distance 0; content:"name=",distance 0; http_header; content:!"User-Agent"; content:!"Connection"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/11e611585bfb6ff1f823e3c035ef6cfae39dfe2209e15ed01a8db8b3f9526519/analysis/1477417828/; classtype:trojan-activity; sid:40559; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant inbound connection"; flow:to_client,established; content:"Server Prent <please>|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40762; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getSMS command response"; flow:to_server,established; content:"|7C|ge|7C|t|7C|SM|7C|S|7C|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40763; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getContacts command response"; flow:to_server,established; content:"send|7C|G|7C 7C|Cont|7C|acts|7C|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40764; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/message.php",fast_pattern,nocase; http_header; content:"x-requested-with|3A 20|XMLHttpRequest|0D 0A|"; content:"Referer|3A 20|"; content:"Accept|3A 20|*/*|0D 0A|Accept-Language|3A 20|en-us|0D 0A|"; content:"Cache-Control|3A 20|no-cache|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ab082d6047fb73b9de7ebc59fb12fa1f8c2d547949d4add3b7a573d48172889b/analysis/1479147777/; classtype:trojan-activity; sid:40816; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Mindspark MIP ",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_houdini|0D 0A|",depth 13,offset 4; metadata:impact_flag red,ruleset community; classtype:trojan-activity; sid:40831; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"silence_keylogger|0D 0A|",depth 19,offset 4; metadata:impact_flag red,ruleset community; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:40832; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt"; flow:to_client; content:"screenshot_init|0D 0A|",depth 17,offset 4; metadata:impact_flag red,ruleset community; classtype:trojan-activity; sid:40833; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt"; flow:to_client; isdataat:23; isdataat:!24; content:"silence_screenshot|0D 0A|",depth 20,offset 4; metadata:impact_flag red,ruleset community; classtype:trojan-activity; sid:40834; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt"; flow:to_client,established; content:"screen_thumb|0D 0A|",depth 14,offset 4; metadata:impact_flag red,ruleset community; classtype:trojan-activity; sid:40835; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"file_manager_",depth 13,offset 4; pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red,ruleset community; classtype:trojan-activity; sid:40836; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; http_uri; content:"/UpgSvr/",fast_pattern,nocase; content:".xml"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:2; )
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: ( msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|",distance 1; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:2; )
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: ( msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|",distance 1; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:2; )
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: ( msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|",distance 1; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:2; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1040 ( msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|",depth 3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".createElementNS"; content:"svg",within 10; content:".setAttribute"; content:"begin",within 15; content:".setAttribute",distance 0; content:"end",within 10; content:".end",within 20; content:".setAttribute",distance 0; content:"end",within 10; content:".end",within 20; content:".pauseAnimations",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".pauseAnimations",fast_pattern,nocase; content:"svg",nocase; content:"animate",nocase; content:"begin",within 50,nocase; content:"end",within 50,nocase; content:".end",within 30,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1040 ( msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|",depth 3; content:"|00 00|",within 2,distance 7; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:11; http_uri; content:"/search.php",fast_pattern,nocase; http_client_body; content:"as_ft="; content:"as_q="; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1014; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 ( msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|",depth 5; isdataat:24; isdataat:!25; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; http_uri; content:"/apply_noauth.cgi",depth 17,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; http_uri; content:"/lang_check",nocase; http_client_body; content:"hidden_lang_avi=",nocase; isdataat:36,relative; content:!"&",within 36; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_uri; content:"/admin.php?f=",fast_pattern,nocase; http_header; content:"UA-CPU|3A 20|"; content:"MSIE 7.0|3B|"; content:"Accept|3A 20|*/*"; content:!"Accept-Language"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41334; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:12; http_uri; content:"/checkupdate",fast_pattern,nocase; http_header; content:"x-requested-with|3A 20|"; content:"Referer"; http_client_body; content:"=",depth 15; content:"%",within 2; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; http_header; content:"time|3A 20|",fast_pattern,nocase; content:"User-Agent|3A 20|HttpEngine"; http_uri; content:".do"; pcre:"/\.(do|jar)$/im"; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41336; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; http_header; content:"GZIPOK|3A 20|",fast_pattern,nocase; content:"CompGZ|3A 20|"; content:"ReqType|3A 20|"; http_uri; content:".do"; http_header; content:!"Accept"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41337; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; http_uri; content:"/web/google_analytics.php",fast_pattern,nocase; content:"cmd=set",nocase; content:"arg=",nocase; http_cookie; content:"isAdmin=1",nocase; content:"username=admin",nocase; content:"local_login=1",nocase; http_uri; pcre:"/[?&]arg=[^&]*?([\x60\x3b\x7c]|\x24\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10108; classtype:web-application-attack; sid:41346; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; http_uri; content:"/web/google_analytics.php",fast_pattern,nocase; http_raw_uri; content:"cmd=set",nocase; content:"arg=",nocase; content:"%26",distance 0; http_cookie; content:"isAdmin=1",nocase; content:"username=admin",nocase; content:"local_login=1",nocase; http_raw_uri; pcre:"/[?&]arg=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10108; classtype:web-application-attack; sid:41347; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; http_uri; content:"/web/google_analytics.php",fast_pattern,nocase; http_client_body; content:"cmd=set",nocase; content:"arg=",nocase; http_cookie; content:"isAdmin=1",nocase; content:"username=admin",nocase; content:"local_login=1",nocase; http_client_body; pcre:"/(^|&)arg=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10108; classtype:web-application-attack; sid:41348; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; http_uri; content:"/web/google_analytics.php",fast_pattern,nocase; http_client_body; content:"cmd=set",nocase; content:"arg",nocase; content:"Content-Disposition",nocase; http_cookie; content:"isAdmin=1",nocase; content:"username=admin",nocase; content:"local_login=1",nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?arg((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10108; classtype:web-application-attack; sid:41349; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 83|",depth 5; isdataat:!79; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38 00 00 00 85|",depth 5; isdataat:!79; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 81|",depth 5; isdataat:4; isdataat:!5; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER Cisco Webex explicit use of web plugin detected"; flow:to_server,established; http_uri; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:7; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - X-Mas"; flow:to_server,established; content:"User-Agent|3A 20|Useragents",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41441; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Ransomware.X-Mas outbound connection"; flow:to_server,established; content:"WebKitFormBoundary"; content:"|20|form-data|3B 20|name=|22|uid|22|",fast_pattern; content:"|20|form-data|3B 20|name=|22|uname|22|",distance 0; content:"|20|form-data|3B 20|name=|22|cname|22|",distance 0; content:"|20|form-data|3B 20|name=|22|ltime|22|",distance 0; content:"|20|form-data|3B 20|name=|22|uright|22|",distance 0; content:"|20|form-data|3B 20|name=|22|sysinfo|22|",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41442; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; http_uri; content:"/gate.php",fast_pattern,nocase; http_client_body; content:"163="; content:"&x=",distance 0; content:"&z=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; http_uri; content:"/gate.php?",fast_pattern,nocase; http_client_body; content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|"; content:"|22 3E 20 5B|",within 12; http_header; content:!"Accept-"; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgi.cgi",fast_pattern,nocase; content:"u="; content:"p="; isdataat:263,relative; content:!"&",within 263; content:!"|0D 0A|",within 263; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; http_uri; content:"/wp-json/",fast_pattern,nocase; content:"id=",nocase; pcre:"/[?&]id=[^&]*?[^\d&]/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41495; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; http_uri; content:"/wp-json/",fast_pattern,nocase; http_client_body; content:"id=",nocase; pcre:"/[?&]id=[^&]*?[^\d&]/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41496; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; http_uri; content:"/wp-json/",fast_pattern,nocase; http_client_body; content:"|22|id|22|",nocase; pcre:"/\x22id\x22\s*\x3A\s*\x22[^\x22]*?[^\d\x22]/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41497; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt"; flow:to_client,established; content:"Set-Cookie|3A 20|mediaplanBAK|3D|",fast_pattern,nocase; content:"Set-Cookie|3A 20|mediaplan|3D|"; http_header; content:"Content-Type|3A 20|text/plain"; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/571a7014d1ee4e359e7eb5d2c7b3e6c527f4fcef322781f1c56a1b5bf28c8eb2/analysis/1485884599/; classtype:trojan-activity; sid:41498; rev:2; )
alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any ( msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40 00|",depth 6,offset 4; content:"|03 00|",within 2,distance 6; byte_test:3,>,200,1; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt"; flow:to_server,established; http_uri; content:"/passwordrecovered.cgi",fast_pattern,nocase; http_param:"id",nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,95457; reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; gid:1; sid:41504; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Downloader.MacDownloader variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:14; http_uri; content:"/Servermac.php",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41663; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/ping.cgi",nocase; http_client_body; content:"ping_IPAddr=",fast_pattern,nocase; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41698; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/ping.cgi",nocase; content:"ping_IPAddr=",fast_pattern,nocase; http_raw_uri; content:"%26"; pcre:"/[?&]ping_IPAddr=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41699; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/ping.cgi",nocase; content:"ping_IPAddr=",fast_pattern,nocase; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS"; flow:to_server,established; http_header; content:"User-Agent|3A| Microsoft BITS"; content:"Host|3A 20|xn--",fast_pattern,nocase; http_uri; pcre:"/(\x2ebat|\x2eexe)$/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:41710; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_slave|0D 0A|",depth 11,offset 4; metadata:impact_flag red,ruleset community; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41711; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Houdini backdoor file download request"; flow:to_server,established; http_uri; content:"/ChromeSetup.bat",fast_pattern,nocase; pkt_data; content:"User-Agent|3A| Microsoft BITS"; metadata:impact_flag red,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DotNetNuke installation attempt detected"; flow:to_server,established; http_uri; content:"/Install/InstallWizard.aspx",fast_pattern,nocase; content:"executeinstall"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype:attempted-admin; sid:41713; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 ( msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|",depth 12; content:"://"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 ( msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|",depth 12; content:"tftp://",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 ( msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|",depth 12; content:"tftp://",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 ( msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00 00 00 05|",depth 12; content:"tftp://",nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2018-0156; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/dnslookup.cgi",fast_pattern,nocase; http_client_body; content:"host_name",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6334; classtype:web-application-attack; sid:41748; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/dnslookup.cgi",fast_pattern,nocase; http_client_body; content:"host_name=",nocase; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/dnslookup.cgi",fast_pattern,nocase; content:"host_name=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]host_name=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; http_uri; content:"/dnslookup.cgi",fast_pattern,nocase; content:"host_name=",nocase; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-6334; classtype:web-application-attack; sid:41751; rev:3; )
alert tcp any any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|",depth 9,offset 4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,blog.talosintelligence.com/2017/05/wannacry.html; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41978; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string - Andr.Trojan.Agent"; flow:to_server,established; http_header; content:"User-Agent|3A| Ray-Downer|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42019; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/wroot/v3",fast_pattern,nocase; content:".do"; pkt_data; content:"uuid="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42021; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; http_header; content:"Host: mbfce24rgn65bx3g.",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/c1c31129a39441607c060a7da57855d3969cf47ce4119cda9beaf65b63faca60/analysis/; classtype:trojan-activity; sid:42059; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| WinHttpClient",fast_pattern,nocase; http_raw_uri; content:"//Home/"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42128; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_uri; content:"commandId=",fast_pattern,nocase; content:"/Home/",depth 6; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] ( msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|7A 8D 9B DC|",depth 4,offset 4; metadata:impact_flag red,ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42225; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt"; flow:to_server,established; content:"|08 E0 00 00 00 00|",depth 6,offset 4; content:"|0D 0A|",within 2,distance 1; isdataat:!1,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:policy-violation; sid:42255; rev:4; )
alert tcp any any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|",depth 13,offset 4; content:"|01 00 00 00 00 00 00 00|",within 8,distance 38; content:"|00 00 00 00 00|",within 5,distance 6; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx; classtype:policy-violation; sid:42256; rev:7; )
alert tcp any any -> $HOME_NET 445 ( msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|",depth 9,offset 4; content:"|42 00|",within 2,distance 21; content:"|0E 00|",within 2,distance 29; content:!"|00 00|",within 2; flowbits:set,smb.trans2.mid66; metadata:impact_flag red,ruleset community; service:netbios-ssn; reference:url,attack.mitre.org/techniques/T1055; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:5; )
alert tcp any any -> $HOME_NET 445 ( msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|",depth 9,offset 4; content:"|41 00|",within 2,distance 21; content:"|0E 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",within 17,distance 29,fast_pattern,fast_pattern_offset 0,fast_pattern_length 10; flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:8; )
alert tcp any any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt"; flow:to_server,established; content:"|FF|SMB|A0|",depth 5,offset 4; content:"|05 00|",within 2,distance 64; byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42338; rev:3; )
alert tcp $HOME_NET 445 -> any any ( msg:"OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory"; flow:to_client,established; content:"Frag",fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|",within 3,distance 5; content:"|F8 FF FF|",within 3,distance 5; metadata:policy balanced-ips alert,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42339; rev:3; )
alert tcp any any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|",depth 9,offset 4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42340; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] ( msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:to_server,established; content:"856",depth 3,offset 1; content:"856|9A F3 EC 89|",within 7,distance 1; metadata:impact_flag red,ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42398; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"z9=base64%5fdecode",fast_pattern,nocase; content:"=%40eval"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42834; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_header; content:"X-Forwarded-For",nocase; http_client_body; content:"=edoced_46esab",fast_pattern,nocase; content:"z0="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; http_client_body; content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST[",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt"; flow:to_server,established; http_uri; bufferlen:>13; content:"/shell?",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.pentestpartners.com/blog/pwning-cctv-cameras/; classtype:attempted-admin; gid:1; sid:42857; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:to_server,established; http_uri; content:"Connect.php?id=",fast_pattern,nocase; pkt_data; content:"SessionID:"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42880; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:to_server,established; http_uri; content:"/JP-ja/js?",fast_pattern,nocase; pkt_data; content:"SessionID:"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42881; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC ZoxPNG initial outbound connection"; flow:to_server,established; http_uri; content:"/search?q=Google&go=&qs=n&form=",fast_pattern,nocase; content:"pq=google&sc=8-1&sp=-1&sk="; http_header; content:"Cookie|3A 20|SESSIONID=",nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42882; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt"; flow:to_server,established; http_uri; content:"/mm.jpg",depth 7,fast_pattern; http_header; content:"User-Agent|3A 20|Mozilla/5.0 (compatible"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42883; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection"; flow:to_server,established; http_uri; content:"/logon.aspx?Id=",fast_pattern,nocase; http_header; content:"Cookie|3A 20|SessionData="; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42884; rev:3; )
alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC WashingTon ssl certificate negotiation attempt"; flow:to_server,established; content:"WashingTon",fast_pattern,nocase; content:"WebMaster@Microsoft.com"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:42885; rev:2; )
alert http ( msg:"MALWARE-CNC HttpBrowser User-Agent outbound communication attmept"; flow:to_server,established; http_header:field user-agent; content:"HttpBrowser/1.0",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; gid:1; sid:42886; rev:4; )
alert tcp any any -> $HOME_NET 445 ( msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|",depth 9,offset 4; content:"|01 00 00 00 00|",within 5,distance 59; byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:42944; rev:2; )
alert tcp any any -> $HOME_NET 445 ( msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|",depth 9,offset 4; content:"IPC$|00|",fast_pattern,nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:8; )
alert tcp any any -> $HOME_NET 445 ( msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|",depth 9,offset 4; content:"I|00|P|00|C|00|$|00 00 00|",fast_pattern,nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:8; )
alert tcp any any -> $HOME_NET 445 ( msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|",depth 9,offset 4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/",within 1; content:"/",within len,distance 1; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kabob outbound connection"; flow:to_server,established; http_client_body; content:"@|E9 03 00 00 00 00 00 00 00 00 64|",fast_pattern,nocase; http_uri; pcre:"/\/\d{8}\/\w{4}\/[A-F0-9]{4}\/[A-F0-9]{4}\/[A-Z0-9\-_~]{12}\.[aj]sp/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:43063; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|18 17 E9 E9 E9 E9|",fast_pattern,nocase; isdataat:!7; metadata:impact_flag red,ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43193; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|1B 17 E9 E9 E9 E9|",depth 6; metadata:impact_flag red,ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43194; rev:2; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /.svn/entries file access attempt"; flow:to_server,established; http_uri; content:"/.svn/entries",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:43285; rev:2; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /cgi-bin/sh file access attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/sh",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:43286; rev:2; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/inetd.conf file access attempt"; flow:to_server,established; http_uri; content:"/etc/inetd.conf",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43287; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/motd file access attempt"; flow:to_server,established; http_uri; content:"/etc/motd",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43288; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/shadow file access attempt"; flow:to_server,established; http_uri; content:"/etc/shadow",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43289; rev:3; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /ws_ftp.log file access attempt"; flow:to_server,established; http_uri; content:"/ws_ftp.log",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:43290; rev:2; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated application deployment attempt"; flow:to_server,established; http_uri; content:"/soap/soaplet/soaprouter",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2001-1371; classtype:attempted-recon; sid:43291; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; http_uri; content:"/TeleoptiWFM/Administration/GetOneTenant",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; http_uri; content:"/TeleoptiWFM/Administration/Users",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; http_uri; content:"/TeleoptiWFM/Administration/AddFirstUser",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"SERVER-OTHER WSFTP IpSwitch custom SITE command execution attempt"; flow:to_server,established; content:"SITE SETC",nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:cve,2004-1885; classtype:attempted-admin; sid:43663; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 ( msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgictl?action=setTaskSettings",fast_pattern,nocase; http_client_body; content:"settings={|22|",nocase; content:"taskId="; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,99330; reference:cve,2017-9810; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43809; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 ( msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgictl",fast_pattern,nocase; content:"reportId=",nocase; content:"../"; pcre:"/[?&]reportId=[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43810; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgictl",fast_pattern,nocase; http_client_body; content:"reportId=",nocase; pcre:"/(^|&)reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43811; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgictl",fast_pattern,nocase; http_client_body; content:"reportId",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?reportId((?!^--).)*?\x2e\x2e[\x2f\x5c]/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43812; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgictl",fast_pattern,nocase; content:"scriptName=",nocase; pcre:"/[?&]scriptName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,99330; reference:cve,2017-9813; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.XAgent outbound connection"; flow:to_server,established; http_header; content:"(unknown version)"; content:"Darwin/",within 30; content:"Accept|3A 20|*/*|0D 0A|"; http_uri; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z0-9]{2,8}\x3d/i"; http_header; content:!"Referer"; metadata:impact_flag red,ruleset community; service:http; reference:url,contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html; reference:url,download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf; classtype:trojan-activity; sid:43825; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; http_uri; bufferlen:11; content:"/api/status",fast_pattern,nocase; http_header; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:43957; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; http_uri; content:"/gate.php",fast_pattern,nocase; http_header; content:"WebKitFormBoundary"; pkt_data; content:"name=|22|getconfig|22|"; http_header; content:"Referer|3A 20|"; content:"Connection|3A 20|close|0D 0A|"; metadata:impact_flag red,ruleset community; service:http; reference:url,virustotal.com/#/file/01092ea6b5eb749254cf61a58c7c8fe5f6700197643271202fe420ac7cc68d1f/detection; classtype:trojan-activity; sid:43972; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; http_client_body; content:"did="; http_uri; content:"/update/upfolder/updatefun.php",fast_pattern,nocase; http_header; content:"Dalvik/"; content:"Android",within 25; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43981; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; http_client_body; content:"did="; http_uri; content:"/pockemon/squirtle/functions.php",fast_pattern,nocase; http_header; content:"Dalvik/"; content:"Android",within 25; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43982; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; http_uri; content:"download.conf",fast_pattern,nocase; content:"filename=",nocase; metadata:ruleset community; service:http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; http_uri; content:"waitPingqry",fast_pattern,nocase; content:"pingAddr=",nocase; pcre:"/[?&]pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44005; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; http_uri; content:"waitPingqry",fast_pattern,nocase; content:"pingAddr=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]pingAddr=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; http_uri; content:"waitPingqry",fast_pattern,nocase; http_client_body; content:"pingAddr=",nocase; pcre:"/(^|&)pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; http_uri; content:"waitPingqry",fast_pattern,nocase; http_client_body; content:"pingAddr",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?pingAddr((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2; )
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",distance 13; content:"3t2t3rgeg"; content:"fg2eq34df",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44399; rev:2; )
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",distance 13; content:"f2tee4"; content:"rvgvtfdf",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44400; rev:2; )
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",distance 13; content:"|00 92 93 45 3A 42 8B 15 4C|",fast_pattern,nocase; content:"London"; content:"example.com"; metadata:impact_flag red,ruleset community; service:ssl; reference:url,malware-traffic-analysis.net/2017/08/12/index.html; classtype:trojan-activity; sid:44401; rev:2; )
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",distance 13; content:"|00 DC 5E AE E6 3E EC 78 EC|"; content:"Alaska"; content:"John_Alaska@gmail.com",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ssl; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44402; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; http_uri; content:"/wp-admin",fast_pattern,nocase; pcre:"/(exe|dll|scr|rar|ps1|bat)$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44469; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; http_uri; content:"/wp-includes",fast_pattern,nocase; pcre:"/(exe|dll|scr|rar|ps1|bat)$/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44470; rev:2; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",within 2,distance 13; content:"Let's Encrypt"; content:"gloverkentok.us",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ssl; reference:url,virustotal.com/#/file/220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dada17782ddd9ee2c232; classtype:trojan-activity; sid:44591; rev:2; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|",within 2,distance 13; content:"My Company Name LTD."; content:"domain.com",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:ssl; reference:url,virustotal.com/#/file/00fa65c8fced0abfab3f544801014a349f7d960819d8d79c47abe090bd75ccfc; classtype:trojan-activity; sid:44592; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 ( msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|",depth 2; content:"|FF ED 00 00 00 00|",distance 0; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; http_uri; content:"/QualityCheck/ni6.php",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/5dea4247e021eeeb1347ff269a357dee77e8ac1837383b0ef37fb123339639a1/analysis/; classtype:trojan-activity; sid:44652; rev:2; )
alert http ( msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; http_header; content:"User-Agent|3A| NetSupport Manager/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; gid:1; sid:44678; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; http_uri; content:"/setup.cgi",nocase; content:"currentsetting.htm",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/setup.cgi",nocase; pkt_data; content:"todo=syscmd",fast_pattern,nocase; content:"cmd=",nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gen variant outbound connection"; flow:to_server,established; http_uri; content:"/aspnet_client/system_web/4_0_30319/update/",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:44689; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; http_uri; content:"$IFS"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:44698; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; http_uri; content:"${IFS}"; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:44699; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY ",depth 7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|",within 180; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; http_header; content:"User-Agent|3A|"; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| ",distance 0,fast_pattern; pcre:"/Win64\x3B\sx64\x29\x3B\s[0-9]{16}\w{16}\x0D\x0A/i"; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:44762; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; http_client_body; content:"%D0%8BTl%DC",depth 11; metadata:impact_flag red,ruleset community; service:http; reference:url,www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack; classtype:trojan-activity; sid:44763; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; http_uri; content:"/cfg",fast_pattern,nocase; content:"process=password",nocase; content:"password1=",nocase; content:"password2=",nocase; content:"button=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 ( msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|",depth 4; content:"|7C|",distance 0; content:"|09|",within 50; metadata:policy max-detect-ips drop,ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; http_uri; content:"/BRS_netgear_success.html",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; http_uri; content:"/ews/exchange/",fast_pattern,nocase; http_client_body; content:"cadata="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45062; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; http_uri; content:"/ews/exchange/",fast_pattern,nocase; http_client_body; content:"cadata="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45063; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; http_uri; content:"/W3SVC",fast_pattern,nocase; http_client_body; content:"cadata="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45064; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; http_uri; content:"/W3SVC",fast_pattern,nocase; http_client_body; content:"cadata="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45065; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; http_uri; content:"public/Check_Exist.php",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45090; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; http_client_body; content:"username=MD5Sum",fast_pattern,nocase; content:"password=MD5Sum"; content:"button=Login"; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45091; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; http_uri; content:"/insert/index?",fast_pattern,nocase; content:"id="; content:"hst="; content:"ttype="; content:"state="; metadata:impact_flag red,ruleset community; service:http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45092; rev:2; )
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 ( msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH",depth 9; content:"ssdp:all",fast_pattern,nocase; detection_filter:track by_src,count 50,seconds 1; metadata:policy max-detect-ips drop,ruleset community; service:ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; http_uri; content:"/report/?application=",fast_pattern,nocase; content:"guid="; content:"details="; content:"action="; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; http_raw_uri; bufferlen:>1000; http_uri; content:"/click?h=",fast_pattern,nocase; content:"subid="; content:"data_fb="; content:"data_rtt="; content:"data_proto="; content:"data_ic="; content:"data_ss="; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?",fast_pattern,nocase; http_uri; content:"k="; content:"?q=",distance 0; metadata:impact_flag red,ruleset community; service:http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; http_uri; content:"/activeupdate/ini_xml.zip",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; http_raw_uri; bufferlen:>64; http_uri; content:"/deleteOfflineClient.cgi",fast_pattern,nocase; content:"delete_offline_client="; pcre:"/[?&]delete_offline_client=[^&]{14}/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.SHLayer variant outbound connection"; flow:to_server,established; http_uri; content:"/screens/",nocase; content:"/",within 1,distance 8; content:"==",within 2,distance 6; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,objective-see.com/blog/blog_0x20.html; reference:url,www.virustotal.com/gui/file/f5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c/detection; classtype:trojan-activity; sid:45545; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; http_uri; content:"/jsproxy",depth 8,fast_pattern,nocase; pkt_data; content:"|0D 0A|Content-Length: ",nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45563; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/5.0|0D 0A|Host: ",fast_pattern,nocase; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A 0D 0A|"; content:!"Cookie:"; content:!"Referer:"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45564; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Rokrat variant outbound connection detected"; flow:to_server,established; http_uri; content:".php?id="; content:"fp_vs=",fast_pattern,nocase; content:"os_vs="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/#/file/3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9/detection; classtype:trojan-activity; sid:45607; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: ( msg:"MALWARE-CNC Vbs.Trojan.Agent outbound connection"; flow:to_server,established; content:"Content-Length: 0",fast_pattern,nocase; content:"User-Agent"; content:"|2D 7C 2D|",within 10; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45642; rev:3; )
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any ( msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s0|2D 7C 2D|",fast_pattern,nocase; content:"Content-Length"; content:"s0|2D 7C 2D|",within 200; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45643; rev:4; )
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any ( msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s1|2D 7C 2D|",fast_pattern,nocase; content:"Content-Length"; content:"s1|2D 7C 2D|",within 200; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45644; rev:3; )
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any ( msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s2|2D 7C 2D|",fast_pattern,nocase; content:"Content-Length"; content:"s3|2D 7C 2D|",within 200; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45645; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: ( msg:"MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure"; flow:to_server,established; content:"POST /is-return ",depth 16,fast_pattern; content:"User-Agent"; content:"|2D 7C 2D|",within 10; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45646; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Silverstar outbound connection"; flow:to_server,established; http_uri; content:"response=fallback",fast_pattern,nocase; content:"/api.php?",depth 9; content:"gpu=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/3f751799a501532f43ca5f12fe80aa0bad78f9f5d57e76bf49b401bb99f355df/detection; classtype:trojan-activity; sid:45960; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection"; flow:to_server,established; content:"Information",depth 11; content:"false|2A 2D 5D|NK|5B 2D 2A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45961; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check"; flow:to_client,established; content:"PNC|2A 2D 5D|NK|5B 2D 2A|",depth 11; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45962; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; http_uri; content:"/index.php?udpool=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1; )
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin",within 4,distance 15,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1; )
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping",within 5,distance 15,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1; )
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp",within 4,distance 15,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:2; )
alert udp $HOME_NET any -> $EXTERNAL_NET 53 ( msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note",within 5,distance 15,fast_pattern; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:2; )
alert tcp $HOME_NET 445 -> any any ( msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|",depth 5,offset 4; isdataat:127; content:"|FF FF FF FF|",within 4,distance 123; byte_extract:4,28,ids; byte_test:4,=,ids,174,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,172,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45977; rev:2; )
alert tcp $HOME_NET 445 -> any any ( msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|",depth 5,offset 4; isdataat:111; content:"|FA FF FF|",within 3,distance 108; content:"|FA FF FF|",distance 0; byte_extract:4,28,ids; byte_test:4,=,ids,242,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,240,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45978; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket",fast_pattern,nocase; content:"|74 00 13|Lcom/net/LoginData",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45979; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect",fast_pattern,nocase; id:13330; fragbits:!DMR; flags:AF; http_stat_code; content:"307",depth 3; http_stat_msg; content:"Temporary Redirect",nocase; metadata:ruleset community; service:http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Gen variant outbound communication"; flow:to_server,established; http_raw_uri; bufferlen:6; http_uri; content:"/A56WY",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; gid:1; sid:46048; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"[^8]&&&",fast_pattern,nocase; content:"[^8]&&&"; isdataat:!0,relative; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46050; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; content:"QDAwMD",depth 6,fast_pattern; content:"&&&",within 200; isdataat:!0,relative; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity; sid:46051; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; http_header; content:"User-Agent|3A| Uploador|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46052; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection"; flow:to_server,established; http_uri; content:"/football/goal",fast_pattern,nocase; http_client_body; content:"ball="; content:"score="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46066; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection"; flow:to_server,established; http_header; content:"Expect: 100-continue",fast_pattern,nocase; http_client_body; content:"pc="; content:"pc_data="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.yty module download request"; flow:to_server,established; http_uri; content:"/football/download/",depth 19; http_header; content:!"User-Agent|3A|",nocase; content:!"Accept|3A|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46068; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.yty module request"; flow:to_server,established; http_header; content:"Expect: 100-continue",fast_pattern,nocase; http_uri; content:"cnumber="; content:"orname="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46069; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established; http_header; content:"Expect: 100-continue",fast_pattern,nocase; http_client_body; content:"id=",depth 3; content:"&pc="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] ( msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|",depth 2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; http_uri; content:"apply.cgi"; content:"action=",distance 0; pcre:"/[?&](wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; http_client_body; content:"action="; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; http_client_body; content:"ping",nocase; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; http_client_body; content:"next_page=",nocase; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; content:"next_page=",nocase; content:"../"; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; content:"ping_",nocase; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; http_uri; content:"apply.cgi",fast_pattern,nocase; content:"ping_",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:3; )
alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any ( msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS",depth 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:3; )
alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any ( msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM",depth 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 ( msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS",depth 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 ( msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM",depth 4; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.HW32 variant outbound connection"; flow:to_server,established; http_client_body; content:"Cpa=+EXEC+",depth 10; content:"%27%2C%27"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0b2e8a9413d3b34d532d553922bd402830c1784302fc8ecaeeee17e826798d46/analysis/; classtype:trojan-activity; sid:46129; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_client_body; content:"remetente=",depth 10,fast_pattern; content:"&destinatario",distance 0; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:46136; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt"; flow:to_server,established; content:"POST /b/req/",depth 12; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/octet-stream|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/",within 103,distance 24; content:")|0D 0A|Host: ",distance 0; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; classtype:trojan-activity; sid:46137; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; http_uri; content:"mfgtst.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:denial-of-service; sid:46287; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/pingping.cgi",fast_pattern,nocase; content:"ping_ip=",nocase; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/pingping.cgi",fast_pattern,nocase; content:"ping_ip=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/pingping.cgi",fast_pattern,nocase; http_client_body; content:"ping",nocase; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/pingping.cgi",fast_pattern,nocase; http_client_body; content:"ping_ip",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; http_uri; content:"/cgi-bin/filemanager/wfm2Login.cgi",fast_pattern,nocase; http_raw_header; content:"X-Forwarded-For",nocase; isdataat:90,relative; http_header; pcre:"/X-Forwarded-For:[^\n\r]{90}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/wizReq.cgi",fast_pattern,nocase; content:"SMB_",nocase; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:46305; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/wizReq.cgi",fast_pattern,nocase; content:"SMB_",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:46306; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/wizReq.cgi",fast_pattern,nocase; http_client_body; content:"SMB",nocase; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:46307; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/wizReq.cgi",fast_pattern,nocase; http_client_body; content:"SMB_",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:46308; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgi.cgi",fast_pattern,nocase; content:"u=",nocase; content:"p=",nocase; isdataat:260,relative; pkt_data; pcre:"/[?&]p=[^&\s]{260}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:attempted-admin; sid:46309; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/cgi.cgi",fast_pattern,nocase; content:"u=",nocase; isdataat:35,relative; pkt_data; pcre:"/[?&]u=[^&\s]{35}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:attempted-admin; sid:46310; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/NETGEAR_WNR2000.cfg",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/upg_restore.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; http_uri; content:"/router-info.htm",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; http_uri; content:"/administrator/components/com_joomlaupdate/restore.php",fast_pattern,nocase; content:"factory=",nocase; pkt_data; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Drupal 8 remote code execution attempt"; flow:to_server,established; http_uri; content:"element_parents=",fast_pattern,nocase; content:"#value"; http_client_body; pcre:"/(%23|#)(submit|validate|access_callback|pre_render|post_render|lazy_builder|%6c%61%7a%79%5f%62%75%69%6c%64%65%72)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-7600; reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin; sid:46316; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 ( msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-admin; sid:46317; rev:3; )
alert udp $EXTERNAL_NET any -> $HOME_NET 23 ( msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-admin; sid:46318; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; http_uri; content:"/wlg_sec_profile_main.cgi",fast_pattern,nocase; http_client_body; content:"ssid=",nocase; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; http_uri; content:"/fw_serv_add.cgi",fast_pattern,nocase; http_client_body; content:"userdefined=",nocase; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS ( msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.Matrix outbound connection"; flow:to_server,established; http_uri; content:"add.php?apikey="; content:"&compuser="; content:"&sid="; content:"&phase="; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/#/file/996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9/detection; classtype:trojan-activity; sid:46339; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; http_uri; content:"administrator/components/com_joomlaupdate/restoration.php",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:3; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php",fast_pattern,nocase; content:"option=com_joomlaupdate",nocase; content:"task=update.install",nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:3; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi",fast_pattern,nocase; content:"function=",nocase; content:"subfun=",nocase; content:"NAME=",nocase; content:"PASSWD=",nocase; content:"VERIFY=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|",fast_pattern; content:"|02|",within 1,distance 7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|",fast_pattern; content:"|02|",within 1,distance 7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; http_client_body; content:"IHkoeWRrcnkpIikqNy95ZCB5LSl5ZCB5",depth 40,fast_pattern; http_header; content:!"Referer|3A|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/fd08f6bc823cbfa495f0568ba4284e02f1cad57e56bd04ef0a0b948ea9dddee4/details; classtype:trojan-activity; sid:46378; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spyware.Autoit outbound connection"; flow:to_server,established; http_client_body; content:"win32=FFD8FFE000104A464946",fast_pattern,nocase; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/8ac4e164b463c313af059760ce1f830c19b0d5a280ec80554e8f77939143e24e; classtype:trojan-activity; sid:46416; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:[",fast_pattern,nocase; content:"RES_OK"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46421; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:[",fast_pattern,nocase; content:"RES_OK"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46422; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Kraens initial outbound request"; flow:to_server,established; http_uri; content:"/up_d.php",fast_pattern,nocase; http_client_body; content:"{|22|i|22|:",depth 5; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/en/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46423; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Adware.Doyo initial connection"; flow:to_server,established; http_client_body; content:"data=85702b2fccafcb2f",depth 21; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46433; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Adware.Doyo client outbound connection"; flow:to_server,established; content:"|01 00 00 00 01 01 00 00 01 00 00 00 00 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00|",depth 28; metadata:impact_flag red,ruleset community; service:http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46434; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string "; flow:to_server,established; http_header; content:"User-Agent|3A| USR-KL",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46435; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A",fast_pattern,nocase; content:"Workbook_Open",nocase; content:"Document_Open",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46436; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A",fast_pattern,nocase; content:"Workbook_Open",nocase; content:"Document_Open",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46437; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"Shell",nocase; content:"vbHide",within 100,fast_pattern; content:"Chr",nocase; content:"Asc",within 100,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46438; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"Shell",nocase; content:"vbHide",within 100,fast_pattern; content:"Chr",nocase; content:"Asc",within 100,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46439; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration"; flow:to_server,established,only_stream; content:"GET /v1 HTTP/1.1",depth 16,fast_pattern; http_header; content:"Connection: "; content:"User-Agent: "; content:"Accept-Encoding: "; content:"Accept-Language: "; content:"Host: "; detection_filter:track by_src,count 3,seconds 6; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP TwonkyMedia server directory listing attempt"; flow:to_server,established; http_uri; content:"/rpc/dir",fast_pattern,nocase; content:"path=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2018-7171; classtype:web-application-attack; sid:46485; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Ammy heartbeat"; flow:to_server,established; content:"id=",depth 3,offset 5; content:"&os=",within 4,distance 8; content:"&priv=",distance 0; content:"&cred=",distance 0; content:"&pcname=",distance 0; content:"&build_time=",distance 0,fast_pattern; content:"&card=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:46487; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ammy download attempt"; flow:to_server,established; http_uri; content:"/q2/index.php?",fast_pattern,nocase; content:"id="; content:"&c="; content:"&mk="; content:"&il="; content:"&vr="; content:"&bt="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:46488; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; http_uri; content:".php?&1001=",fast_pattern,nocase; content:"99="; content:"f1="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46501; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; http_uri; content:".php?&1001=",fast_pattern,nocase; http_client_body; content:"1="; content:"2="; pcre:"/(^|&)\d{1,2}=[^&]*?\d{4}/m"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46502; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/twonky_cmd.cgi",fast_pattern,nocase; content:"path=",nocase; pcre:"/[?&]path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1143; classtype:web-application-attack; sid:46510; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/twonky_cmd.cgi",fast_pattern,nocase; content:"path=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]path=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1143; classtype:web-application-attack; sid:46511; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/twonky_cmd.cgi",fast_pattern,nocase; http_client_body; content:"path=",nocase; pcre:"/(^|&)path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1143; classtype:web-application-attack; sid:46512; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/twonky_cmd.cgi",fast_pattern,nocase; http_client_body; content:"path",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1143; classtype:web-application-attack; sid:46513; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/proxy.cgi",fast_pattern,nocase; content:"url=",nocase; pcre:"/[?&]url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1144; classtype:web-application-attack; sid:46514; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/proxy.cgi",fast_pattern,nocase; content:"url=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]url=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1144; classtype:web-application-attack; sid:46515; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/proxy.cgi",fast_pattern,nocase; http_client_body; content:"url=",nocase; pcre:"/(^|&)url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1144; classtype:web-application-attack; sid:46516; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; http_uri; content:"/proxy.cgi",fast_pattern,nocase; http_client_body; content:"url",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?url((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-1144; classtype:web-application-attack; sid:46517; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; http_uri; content:"/set.cgi",fast_pattern,nocase; content:"n=TLNET_EN",nocase; content:"v=1",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2018-1146; classtype:policy-violation; sid:46518; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; http_uri; content:"/set.cgi",fast_pattern,nocase; http_client_body; content:"n=TLNET_EN",nocase; content:"v=1",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2018-1146; classtype:policy-violation; sid:46519; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Banload second stage download request"; flow:to_server,established; isdataat:!100; http_header; content:!"Referer|3A|"; content:!"Accept"; content:!"User-Agent|3A 20|http"; pkt_data; content:".zip HTTP/1.1|0D 0A|Host|3A 20|",fast_pattern,nocase; pcre:"/GET \/\w*.zip HTTP\/1.1\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/i"; metadata:impact_flag red,ruleset community; service:http; classtype:trojan-activity; sid:46611; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Unruy outbound callout"; flow:to_server,established; http_uri; content:".php?q=",fast_pattern,nocase; http_header; content:"Accept-Language: en-us"; content:"Accept-Encoding: gzip, deflate"; content:"Connection: Keep-Alive"; content:"Referer: http://www.google.com"; http_uri; pcre:"/.php\?q=\d{1,4}\.\d{2,4}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.[0-9a-f]{64}\.1.\d{4,6}/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:46612; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/DigitalGuardian/Management/ServerSettingsPDFTemplates.aspx",fast_pattern,nocase; http_client_body; content:"inputFilePath",nocase; content:".asp",distance 0,nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]inputFilePath[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-10173; classtype:web-application-attack; sid:46665; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; http_uri; content:"/DigitalGuardian/Policies/PromptSkin.aspx",fast_pattern,nocase; http_client_body; content:"skinFile",nocase; content:".asp",distance 0,nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]skinFile[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-10173; classtype:web-application-attack; sid:46666; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dropper malicious script download attempt"; flow:to_client,established; file_data; content:"<script",nocase; content:"ActiveXObject",nocase; content:"WScript.Shell",fast_pattern,nocase; content:"p o w e r s h e l l",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46742; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt"; flow:to_server,established; http_uri; content:".php?utma",fast_pattern,nocase; http_header; content:!"Referer:",nocase; http_uri; pcre:"/(stem|slick)\.php\?utma/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46743; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt"; flow:to_client,established; http_header; content:"Content-Type:",nocase; content:"application/java-vm",within 50,fast_pattern; file_data; content:"MZ",depth 2; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46744; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:to_server,established; content:"|00 07|nemesis",depth 10; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46747; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:to_server,established; content:"|00 05|child|01 00 16|",depth 11; content:"|22|magic|22|",within 100; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46748; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI SQL injection attempt"; flow:to_server,established; http_uri; content:"/nagiosql/admin/helpedit.php",fast_pattern,nocase; content:"selInfoKey1=",nocase; pcre:"/[?&]selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46773; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP NagiosXI SQL injection attempt"; flow:to_server,established; http_uri; content:"/nagiosql/admin/helpedit.php",fast_pattern,nocase; http_client_body; content:"selInfoKey1=",nocase; pcre:"/(^|&)selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46774; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; http_uri; content:"/nagiosxi/backend/index.php",fast_pattern,nocase; content:"command_data=",nocase; pcre:"/[?&]command_data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46775; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; http_uri; content:"/nagiosxi/backend/index.php",fast_pattern,nocase; content:"command_data=",nocase; http_raw_uri; content:"%26"; pcre:"/[?&]command(\x5f|%5f)data=[^&]*?%26/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46776; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; http_uri; content:"/nagiosxi/backend/index.php",fast_pattern,nocase; http_client_body; content:"command",nocase; pcre:"/(^|&)command(\x5f|%5f)data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46777; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; http_uri; content:"/nagiosxi/backend/index.php",fast_pattern,nocase; http_client_body; content:"command_data",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?command_data((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46778; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Nagios XI database settings modification attempt"; flow:to_server,established; http_uri; content:"/nagiosql/admin/settings.php",fast_pattern,nocase; pkt_data; content:"txtDBname=nagiosql",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:2; )
alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any ( msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_client,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46782; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] ( msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_server,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46783; rev:6; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string"; flow:to_server,established; http_header; content:"User-Agent|3A| Mozilla v5.1",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46785; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.Zebrocy initial outbound request"; flow:to_server,established; http_uri; content:"?fort=",fast_pattern,nocase; http_client_body; content:"pol=",depth 4; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46786; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; http_uri; content:"/telg/sv/sv.php",fast_pattern,nocase; http_client_body; content:"id"; content:"data"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46787; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; http_uri; content:"/telg/index.php?set=show",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46788; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; http_uri; content:"/get/index.php"; content:"id=Z29nbw==",fast_pattern,nocase; content:"user="; content:"pass="; content:"data="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46789; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; http_uri; content:"/spyMobile/upload.php",fast_pattern,nocase; content:"iemi="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46790; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/write.cgi",fast_pattern,nocase; http_client_body; content:"template=",nocase; pcre:"/(^|&)template=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-9097; classtype:web-application-attack; sid:46802; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/write.cgi",fast_pattern,nocase; content:"template=",nocase; content:"../"; pcre:"/[?&]template=[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-9097; classtype:web-application-attack; sid:46803; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; http_uri; content:"/cgi-bin/write.cgi",fast_pattern,nocase; http_client_body; content:"template",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?template((?!^--).)*?\x2e\x2e[\x2f\x5c]/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-9097; classtype:web-application-attack; sid:46804; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; http_uri; content:"/isc/get_sid.aspx",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-17974; classtype:attempted-user; sid:46805; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; http_uri; content:"/isc/get_sid_js.aspx",fast_pattern,nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2017-17974; classtype:attempted-user; sid:46806; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt"; flow:to_server,established; http_uri; content:"/getConfigExportFile.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-3813; classtype:attempted-user; sid:46817; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Ransomware.Satan outbound connection"; flow:to_server,established; http_uri; content:"/data/token.php",fast_pattern,nocase; content:"status=",nocase; content:"code=",nocase; http_header; content:"Winnet Client",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46818; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Win.Ransomware.Satan payload download"; flow:to_server,established; http_uri; content:"/cab/sts.exe",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt"; flow:to_server,established; http_uri; content:"/DesktopModules/DreamSlider/DownloadProvider.aspx",fast_pattern,nocase; content:"file=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:46824; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|",depth 32; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; http_header; content:".NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length",fast_pattern,nocase; http_raw_uri; bufferlen:<20; http_uri; content:"/index.php"; http_method; content:"POST"; http_header; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; content:!"Content-Type"; content:!"Referer"; content:!"Accept-"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/analysis/; classtype:trojan-activity; sid:46839; rev:1; )
alert udp any 67 -> $HOME_NET 68 ( msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|",within 50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop,ruleset community; service:dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:46847; rev:1; )
alert tcp $EXTERNAL_NET 20480 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.CowerSnail command and control response detected"; flow:to_client,established; content:"pk",depth 2; content:"R|00|e|00|q|00|u|00|e|00|s|00|t|00|",fast_pattern,nocase; content:"|00|a|00|r|00|g|00|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46872; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 20480 ( msg:"MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt"; flow:to_server,established; content:"+CHANNEL|0B|",fast_pattern,nocase; content:"line-client"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46873; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 ( msg:"MALWARE-CNC Win.Trojan.Joanap variant outbound connection"; flow:to_server,established; content:"TO: Joana <xiake722@gmail.com>",fast_pattern,nocase; content:"SUBJECT: |5B|T|5D|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; classtype:trojan-activity; sid:46885; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Nocturnal outbound connection"; flow:to_server,established; http_uri; content:"/server/gate.php",fast_pattern,nocase; http_client_body; content:"name=|22|hwid|22|"; content:"name=|22|platform|22|"; content:"name=|22|pcount|22|"; content:"name=|22|cccount|22|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e/analysis/; classtype:trojan-activity; sid:46895; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; http_uri; content:"/panel/logout.php",depth 17; http_header; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity; sid:46922; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Dropper outbound connection"; flow:to_server,established; http_header; content:"User-Agent: HTTPREAD|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/analysis/; classtype:trojan-activity; sid:46936; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; http_uri; content:"/index.php?m=S&",fast_pattern,nocase; content:"&a="; content:"&b="; content:"&d="; content:"&e="; http_header; content:!"Referer"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46966; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; http_uri; content:"/index.php?m=F&",fast_pattern,nocase; content:"&a="; content:"&b="; content:"&d="; content:"&e="; http_header; content:!"Referer"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46967; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; http_uri; content:"/index.php?m=T&",fast_pattern,nocase; content:"&a="; content:"&b="; content:"&d="; content:"&e="; http_header; content:!"Referer"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46968; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection"; flow:to_server,established; http_raw_uri; bufferlen:10; http_uri; content:"/mainls.cs",fast_pattern,nocase; http_header; content:"Content-Type: application/octet-stream",nocase; content:!"User-Agent",nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47/detection; classtype:trojan-activity; sid:46969; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection"; flow:to_server,established; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|board_id|22|",fast_pattern,nocase; content:"Content-Disposition: form-data|3B| name=|22|user_id|22|"; content:"Content-Disposition: form-data|3B| name=|22|file1|22|"; http_header; content:!"Referer"; metadata:ruleset community; service:http; reference:url,www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8/detection; reference:url,www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292/detection; classtype:trojan-activity; sid:46970; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; http_raw_uri; bufferlen:<10; http_header; content:"Host: "; content:"|0D 0A|",within 14; http_method; content:"OPTIONS"; http_header; content:"User-Agent: Microsoft Office "; content:"Discovery|0D 0A|",within 25; content:!"Accept"; content:!"Referer|3A|"; content:!"Cookie|3A|"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; http_raw_uri; bufferlen:<10; http_header; content:"Host: "; content:"|0D 0A|",within 14; http_method; content:"HEAD"; http_header; content:"User-Agent: Microsoft Office "; content:"Discovery|0D 0A|",within 25; content:!"Accept"; content:!"Content-"; content:!"Referer|3A|"; content:!"Cookie|3A|"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate"; flow:to_client,established; content:"|16 03|",depth 2; content:"|02|",within 1,distance 3; content:"|0C|Orcus Server",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:url,virustotal.com/en/file/8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a/analysis/; classtype:trojan-activity; sid:46981; rev:1; )
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows",depth 18; content:"Microsoft Corp",within 250; metadata:policy max-detect-ips drop,ruleset community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000,5156,7218] ( msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"POST /cl/uplod/",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47005; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,1337,5156] ( msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"/uploads/excutbls/h/",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47006; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection"; flow:to_server,established; http_uri; content:"/www/",depth 5,fast_pattern; content:"/00",distance 0; http_header; content:!"Accept|3A|"; http_raw_uri; pcre:"/\/www\/(%[A-F0-9]{2}){5,}\/00/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/be554e706f6b8ab8f4bbea209b669e9dca98bf647faa55c46756f322dadab32f/analysis/; classtype:trojan-activity; sid:47016; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; http_uri; content:"/show_new.php?",fast_pattern,nocase; content:"code=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47067; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; http_uri; content:"/register.php?",fast_pattern,nocase; content:"p=",nocase; content:"&code=",nocase; http_header; content:!"User-Agent"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47068; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; http_uri; content:"/update_new.php?",fast_pattern,nocase; content:"code=",nocase; http_header; content:!"User-Agent"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47069; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; http_uri; content:"/installstarted",fast_pattern,nocase; content:"de=",nocase; content:"_v=",nocase; content:"_s=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; http_uri; content:"/collect.php",fast_pattern,nocase; content:"pid="; content:"cid="; content:"sid="; content:"act="; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; http_uri; content:"/installended",fast_pattern,nocase; content:"de=",nocase; content:"_v=",nocase; content:"_s=",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound communication"; flow:to_server,established; content:"|B0 00 B0 00 B0 00 B0 00 26 00 26 00 26 00|",depth 15; metadata:impact_flag red,ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47177; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] ( msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound connection"; flow:to_server,established; isdataat:83; isdataat:!84; content:"|50 00 00 00|",depth 4; byte_test:1,>,2,0,relative; content:!"|0A|",within 1,distance 1; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; gid:1; sid:47178; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection"; flow:to_server,established; http_uri; content:".php?"; content:"=WyJ1cmw",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:47320; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; http_uri; content:"?os="; content:"&user="; content:"&av="; content:"&fw="; content:"&hwid="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:47338; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt"; flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15 40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47377; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt"; flow:to_server,established; http_uri; content:"/ws_utc/css/config/keystore/",fast_pattern,nocase; content:".jsp"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47386; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt"; flow:to_server,established; http_uri; content:"/ws_utc/resources/setting/options/general",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47387; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 ( msg:"SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt"; flow:to_server,established; http_uri; content:"/ws_utc/resources/setting/keystore",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; http_uri; content:"/calisto/upload.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47414; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; http_uri; content:"/calisto/listenyee.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47415; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.Mapoyun variant outbound connection attempt"; flow:to_server,established; http_header; content:"Connection:Close|3B|",fast_pattern,nocase; content:"X-CA-",nocase; content:!"User-Agent|3A|",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/en/file/34cbcbbbc4b538f30bc3d57dd587f1b604d29f113c149bf1ab53898464ad9c80/analysis/; classtype:trojan-activity; sid:47427; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /logo.png HTTP/1.1|0D 0A|",depth 24; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0)|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47556; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /index.php?id=",depth 18; content:"HTTP/1.1|0D 0A|",within 10,distance 11,nocase; content:"Cookie:"; isdataat:50,relative; content:!"=",within 50; content:!"|3B|",within 50; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47557; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; content:"|2A 00 00 00|",depth 4; isdataat:37,relative; isdataat:!38,relative; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/#/file/108bbc4ff7b7da4f0de1225094964d03b19fc38b93933f739c475f08ae17915e/detection; classtype:trojan-activity; sid:47567; rev:2; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt"; flow:to_server,established; http_uri; content:"/media/com_biblestudy/backup/",fast_pattern,nocase; content:".sql"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:attempted-recon; sid:47613; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt"; flow:to_client,established; file_data; content:"|7B 22|line1|22 3A 22|",depth 10,fast_pattern; content:"|22|line2|22 3A 22|",within 30,distance 30; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/901d893f665c6f9741aa940e5f275952/detection; classtype:trojan-activity; sid:47627; rev:1; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"INDICATOR-OBFUSCATION DNS TXT response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00 00 00 01 00 FF|",fast_pattern,nocase; detection_filter:track by_src,count 25,seconds 1; metadata:policy max-detect-ips drop,ruleset community; service:dns; reference:url,attack.mitre.org/techniques/T1048; classtype:misc-activity; sid:47639; rev:3; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 07 06 03 55 04 06 13 00 31 09 30 07 06 03 55 04 08 13 00 31 09 30 07 06 03 55 04 07 13 00 31 09 30 07 06 03 55 04 0A 13 00 31 09 30 07 06 03 55 04 0B 13 00 31 09 30 07 06 03 55 04 03 13 00|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:ssl; classtype:misc-activity; sid:47640; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Marap outbound beacon detected"; flow:to_server,established; http_uri; content:"/dot.php",fast_pattern,nocase; http_client_body; content:"param=",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5/analysis/; classtype:trojan-activity; sid:47650; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.MysteryBot outbound connection"; flow:to_server,established; http_uri; content:"/site/gate.php?i=eyAiYWN0aW9uIjog",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae/analysis/; classtype:trojan-activity; sid:47723; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server,established; http_uri; content:"/private/",fast_pattern; content:".php",distance 0; http_client_body; content:"p="; http_header; content:"User-Agent:"; content:"Android",within 100; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47876; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server,established; http_uri; content:"/private/checkPanel.php",fast_pattern,nocase; http_header; content:"User-Agent:"; content:"Android",within 100; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47877; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; http_uri; content:"/tahw?",depth 6; pcre:"/\x2ftahw\x3f[A-F0-9]{3,84}$/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47898; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; http_uri; content:"/khc?",depth 5; pcre:"/\x2fkhc\x3f[A-F0-9]{3,84}$/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47899; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; http_uri; content:"/pser?",depth 6; pcre:"/\x2fpser\x3f[A-F0-9]{3,84}(BBZ|BBY)/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47900; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MSDownloader variant outbound connection"; flow:to_server,established; http_header; content:"MS_D0wnl0ad3r",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47934; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_client,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r",fast_pattern,fast_pattern_offset 44,fast_pattern_length 13; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47935; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_server,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r",fast_pattern,fast_pattern_offset 44,fast_pattern_length 13; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47936; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; http_client_body; content:"browser/Vivaldi.txtPK",fast_pattern,nocase; http_uri; content:"/Upload/"; http_raw_uri; bufferlen:8; http_header; content:!"User-Agent|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48035; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; http_uri; content:"/Libs.zip",fast_pattern,nocase; http_raw_uri; bufferlen:9; http_header; content:!"User-Agent|3A 20|"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48036; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; http_uri; content:"/image_download.php?uid=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/analysis; classtype:trojan-activity; sid:48092; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; http_uri; content:"/search?gid=",fast_pattern,nocase; http_header; content:"Accept:*/*"; http_method; content:"POST"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/analysis; classtype:trojan-activity; sid:48093; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_uri; content:"/dl.itranslator.info/",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48115; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_uri; content:"/gl.php?uid=",fast_pattern,nocase; content:"&v="; content:"&x=",within 20; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48116; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_uri; content:"/ufiles/",fast_pattern,nocase; content:".dll"; http_header; content:"UID: "; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48117; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent: ITRANSLATOR|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48118; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_header; content:"UID: P002|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48119; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; http_uri; content:"/cfg?cb=",fast_pattern,nocase; content:"&guid="; content:"&uid=",distance 0; content:"&ua=",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48120; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.XAgent variant outbound connection"; flow:to_server,established; http_uri; content:"&itwm=",fast_pattern,nocase; pcre:"/&itwm=([a-z0-9\-\=]{1,50})/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6; classtype:trojan-activity; sid:48140; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/technet-support/library/online-service-description.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48764; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/advance/portable_version/service.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa; classtype:trojan-activity; sid:48765; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/pkg/image/do.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc; classtype:trojan-activity; sid:48766; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant payload download attempt"; flow:to_server,established; http_uri; content:"/Templates/NormalOld.dotm",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305; classtype:trojan-activity; sid:48767; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Js.Trojan.Agent variant outbound connection"; flow:to_server,established; http_header; content:"User-Agent|3A| xmsSofts_1.0.0_",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:48818; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Js.Trojan.Agent variant inbound payload download"; flow:to_server,established; http_uri; content:"/blogs/enc7.js",fast_pattern,nocase; http_raw_uri; bufferlen:14; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:48819; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/company-device-support/values/correlate-sec.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998; classtype:trojan-activity; sid:48844; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; http_uri; content:".php?very=",fast_pattern,nocase; content:"&xnvk="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48845; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; http_header; content:"User-Agent: usrnode/",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48846; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; http_uri; content:"/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48847; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; http_uri; content:"/foth1018/go.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:48872; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/js/drv",fast_pattern,nocase; http_raw_uri; bufferlen:7; http_header; content:!"Referer:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/7d1e26a031db514dd8258de071b96dc57ebc31baf394129c020dd65b8acfc517; classtype:trojan-activity; sid:48873; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/ourtyaz/dwnack.php?cId=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c; classtype:trojan-activity; sid:48874; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/MarkQuality455/developerbuild.php?b=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7; classtype:trojan-activity; sid:48875; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/purchase61dfdusfdsu/costnbenifit8889.php?p=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f; classtype:trojan-activity; sid:48876; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/ourtyaz/qwe.php?TIe=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/172fb23460f34d174baa359c23d46d139fe30cd2d97b11b733aae496ab609c25; classtype:trojan-activity; sid:48877; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; http_uri; content:"/winter/zxd.php?TIe=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e; classtype:trojan-activity; sid:48878; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/software-apptication/help-support-apl/getidpolapl.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48904; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Identification ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"ID",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48984; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Init Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCI",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:48985; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"US",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48986; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"UG",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48987; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RE",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48988; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Set RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SC",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48989; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RA",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48990; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GS",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48991; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RW",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48992; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNL",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48993; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SF",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48994; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SS",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48995; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNH",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48996; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GF",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48997; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RB",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48998; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SA",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48999; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Stop Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCS",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49000; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Start Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCR",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49001; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNH",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49002; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Get RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RC",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49003; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SB",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49004; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Reset Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCE",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49005; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNL",depth 3,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49006; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SW",depth 2,offset 9; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49007; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Operands binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|4D|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49008; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"US",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49009; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Get RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RC",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49010; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Identification ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"ID",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49011; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Write Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|44|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49012; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"UG",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49013; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Read Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|04|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49014; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 ( msg:"PROTOCOL-SCADA PCOM Get PLC Name binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|0C|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49015; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Set RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SC",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49016; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RE",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49017; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GS",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49018; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RN",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49019; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GF",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49020; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RA",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49021; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RB",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49022; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RW",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49023; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SB",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49024; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SF",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49025; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SS",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49026; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SA",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49027; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SW",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49028; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SN",depth 2,offset 10; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49029; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Operands binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|CD|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49030; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Get PLC Name binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|8C|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49031; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Write Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|C4|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49032; rev:2; )
alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SCADA PCOM Read Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|84|",depth 1,offset 18; metadata:policy max-detect-ips drop,ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49033; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected"; flow:to_server,established; http_header; content:"User-Agent: SpellingChecker/22",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66; classtype:trojan-activity; sid:49042; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected"; flow:to_server,established; http_header; content:"User-Agent: LinqurySearch",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8; classtype:trojan-activity; sid:49043; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected"; flow:to_server,established; http_header; content:"User-Agent: macsearch/1 CFNetwork/",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4; classtype:trojan-activity; sid:49044; rev:1; )
alert tcp any any -> $HOME_NET 445 ( msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|",depth 9,offset 4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/",within 2; content:"/",within len,distance 2; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt"; flow:to_server,established; http_uri; content:"?misc=",fast_pattern,nocase; content:"&dl="; content:"/index.php/"; http_header; content:!"Referer"; http_method; content:"POST"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:web-application-attack; sid:49282; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/help-desk/remote-assistant-service/PostId.php?q=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/dc64fec5e951acf298184be89cf89128550b318d719dcc8e2c3194ec3bdb340b; classtype:trojan-activity; sid:49396; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; http_uri; content:"/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/f617e805ccd0b1451e1f448d1328201d79cb846ba8b5b97221c26188fd1a1836; classtype:trojan-activity; sid:49397; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] ( msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"S|00|e|00|m|00|i|00|n|00|a|00|r|00|_|00|2|00|0|00|1|00|8|00|_|00|1|00|.|00|A|00|O|00|-|00|A|00|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:netbios-ssn; reference:url,virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d; classtype:trojan-activity; sid:49398; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt"; flow:to_server,established; http_raw_uri; bufferlen:23; http_uri; content:"/get_getnetworkconf.cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-20377; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/; classtype:attempted-recon; sid:49418; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; http_uri; content:".png?ID=",fast_pattern,nocase; content:"&MAC="; content:"&OS="; content:"&BIT="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49571; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; http_uri; content:".exez?ID=",fast_pattern,nocase; content:"&GUID="; content:"&_T="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49572; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; http_uri; content:"/bbs/data/tmp/ping.php",fast_pattern,nocase; content:"word=",nocase; content:"note=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49592; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; http_raw_uri; bufferlen:<50; http_uri; content:"/indox.php?v=",fast_pattern,nocase; pcre:"/\/indox\.php\x3fv=(pp|pe|s)/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49593; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; http_uri; content:".php?file=Cobra_",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49594; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; http_uri; content:"/board.php",fast_pattern,nocase; pcre:"/\/board\.php\?(m=[0-9A-F]{0,12}&)?(v=([abcef]|\d+\.\d+))/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49595; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 ( msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|0D 0A|",fast_pattern,nocase; content:"|20|/t",depth 4,offset 3; content:".aspx?m=",within 20; content:!"Referer"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,blogs.jpcert.or.jp/en/2018/11/tscookie2.html; classtype:trojan-activity; sid:49664; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6E 6E 69 6E 67 2E 2E 2E 00 20 3A 20 00 73 63 61 6E 20 66 69 6E 69 73 65 64 00 00 00 00 63 3A 2F 2E 6C 6F 67 00 77 61 72 6D 69 6E 67 20 75 70 2E 2E 2E 00 00 00|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49676; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation",fast_pattern,nocase; content:"boost"; content:"BlockCipher",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49677; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation",fast_pattern,nocase; content:"boost"; content:"BlockCipher",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49678; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49679; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49680; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; http_uri; content:"/entry/feedbackinfo/production/",fast_pattern,nocase; http_header; content:"User-Agent: wget"; content:"Referer:"; content:"/entry/feedbackinfo/production/",within 100; content:!"Accept-"; content:!"Content-"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49788; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; http_uri; content:"/updaterinfo.bin",fast_pattern,nocase; http_header; content:"User-Agent: wget"; content:"Referer:"; content:"/updater/",within 50; content:!"Accept-Encoding"; content:!"Accept-"; content:!"Content-"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49789; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; http_uri; content:"/entry/exe/runinfo",fast_pattern,nocase; content:"&mac="; http_header; content:"User-Agent: wget"; content:"Referer:"; content:"/entry/",within 50; content:!"Accept-"; content:!"Content-"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49790; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; http_uri; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php",fast_pattern,nocase; http_client_body; content:"down_url=",nocase; pcre:"/(^|&)down_url=[^&]*?(http|ftp)/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49837; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; http_uri; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php",fast_pattern,nocase; content:"down_url=",nocase; content:"|3A|/"; pcre:"/[?&]down_url=[^&]*?(http|ftp)/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49838; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; http_uri; content:"/ipecs-cm/download",fast_pattern,nocase; http_client_body; content:"file",nocase; pcre:"/(^|&)file(name|path)=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/im"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49839; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; http_uri; content:"/ipecs-cm/download",fast_pattern,nocase; content:"file",nocase; content:"../"; pcre:"/[?&]file(name|path)=[^&]*?\x2e\x2e\x2f/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49840; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; http_uri; content:"/ipecs-cm/download",fast_pattern,nocase; http_client_body; content:"Content-Disposition",nocase; content:"filename",nocase; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/i"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49841; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; http_uri; content:"/ipecs-cm/download",fast_pattern,nocase; http_client_body; content:"file",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?file(name|path)((?!^--).)*?\x2e\x2e[\x2f\x5c]/ims"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49842; rev:1; )
alert tcp any any -> $HOME_NET 3389 ( msg:"OS-WINDOWS Microsoft Windows RDP MS_T120 channel bind attempt"; flow:to_server,established; content:"MS_T120|00|",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:rdp; reference:cve,2019-0708; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708; classtype:attempted-admin; sid:50137; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; http_uri; content:"/7773/index.php",fast_pattern,nocase; http_raw_uri; bufferlen:15; http_client_body; content:"&string="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/91637c3b2fdb9fe50e80dd872580856275eb0275e885fec4b47ffcbe7d724b61; classtype:trojan-activity; sid:50258; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; http_uri; content:"/php/gate.php",fast_pattern,nocase; http_client_body; content:"key=",nocase; content:"&string=",distance 0,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50259; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; http_uri; content:"/7773/plug/",fast_pattern,nocase; content:".ahk"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12; classtype:trojan-activity; sid:50260; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; http_uri; content:"/?gate&hwid=",fast_pattern,nocase; content:"&pwd="; content:"pcuser",distance 0; content:"admin",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50261; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; http_uri; content:"/7773/plug/htv/tv.dll",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/f64792324839f660b9bdfda95501a568c076641cf08ce63c1ddbe29b45623ac0; classtype:trojan-activity; sid:50262; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; http_client_body; content:"logincreds=",fast_pattern,nocase; content:"isAdmin="; content:"antivirus="; content:"commentary="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50263; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; http_uri; content:"/7773/uploads/upload.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/43fbda74a65668333727c6512562db4f9e712cf1d5ad9dca8f06ae51bb937ba2; classtype:trojan-activity; sid:50264; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; http_uri; content:"/temporary_listen_addresses/smsservice",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50276; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; http_uri; content:"/temporary_listen_addresses/wsman",fast_pattern,nocase; http_cookie; content:"_reguestguid",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50277; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran"; flow:to_server,established; http_header; content:"User-Agent|3A 20|BURAN|0D 0A|",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603/analysis/; classtype:trojan-activity; sid:50424; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; http_uri; content:".exe",fast_pattern,nocase; http_raw_uri; bufferlen:6; http_header; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; content:!"Connection"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50445; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; http_uri; content:"/get.php?pid=",fast_pattern,nocase; http_header; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; content:!"Connection"; content:!"Accept"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50446; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 65314 ( msg:"MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection"; flow:to_server,established; content:"|01 00 10|",depth 3; content:"|00 12 5C|",within 3,distance 9; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,virustotal.com/gui/file/bd8b1bd06817772af89d93a1789d5df13e15136e53a6af60be0900986c56234f/detection; classtype:trojan-activity; sid:50811; rev:1; )
alert udp $EXTERNAL_NET any -> $HOME_NET 500 ( msg:"SERVER-OTHER OpenBSD ISAKMP denial of service attempt"; flow:to_server; content:"|6C 6A CD CF B8 41 3F F8 00 00 00 00 00 00 00 00 01 10 04 01 00 00 00 00 00 00 00 1C|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0222; classtype:denial-of-service; sid:50901; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection"; flow:to_server,established; http_uri; content:"/wp-content/plugins/WPSecurity/load.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2922662802eed0d2300c3646a7a9ae73209f71b37ab94b25e6df57f6aed7f23e/analysis/; classtype:trojan-activity; sid:50989; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt"; flow:to_server,established; http_header; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|",fast_pattern,nocase; http_uri; content:"/ua.aspx"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:trojan-activity; sid:51368; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt"; flow:to_server,established; http_uri; content:"/recv_android.php",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/2bbd16a5c6e8f59cc221500b680af434785611de1194216d47ef10c52b2032e1/analysis/; classtype:trojan-activity; sid:51484; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection"; flow:to_server,established; content:"ProClient.Data",fast_pattern,nocase; content:"Clientx|2C 20|Version=",nocase; content:"data|05|bytes",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51532; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection"; flow:to_client,established; content:"BlackRAT.Data",fast_pattern,nocase; content:"|2C 20|Version=",nocase; content:"data|05|bytes",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51533; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_header; content:"User-Agent|3A 20|Installer/23",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51541; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_uri; content:"/webkit_login_records",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51542; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_method; content:"PATCH"; http_uri; content:"/installers/"; http_header; content:"X-Installer-",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51543; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_uri; content:"/upload_files"; http_header; content:"X-File-Name:",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51544; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_uri; content:"/tasks"; http_header; content:"X-Finder-",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51545; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; http_uri; content:"/webkit_cookies"; http_header; content:"X-Finder-",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51546; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Amadey botnet outbound connection"; flow:to_server,established; http_client_body; content:"bi=",fast_pattern,nocase; http_uri; content:"/index.php",nocase; http_client_body; content:"id=",nocase; content:"sd=",nocase; content:"vs=",nocase; content:"ar=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/gui/file/ea09fb5b9c31bbf5817f22634f0ad837605a3352df099690d5e3a948bb719e83; classtype:trojan-activity; sid:51636; rev:3; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Osx.Trojan.Gmera variant outbound connection"; flow:to_server,established; http_uri; content:"/link.php?",depth 13,fast_pattern; http_header; content:"User-Agent: curl/"; content:!"Referer",nocase; http_uri; pcre:"/^\/link\.php\?.{4,20}&\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7/analysis/; classtype:trojan-activity; sid:51642; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; http_uri; content:"/showthread.php?",fast_pattern,nocase; content:"alphayz="; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51670; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; http_uri; content:"/showthread.php?yz=",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51671; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,10011] ( msg:"MALWARE-CNC Andr.Trojan.Moonshine outbound connection"; flow:to_server,established; content:"User-Agent: hots scot",fast_pattern,nocase; content:"/ws?",nocase; content:"whisky_id=",nocase; content:"device_id=",nocase; content:"Upgrade: websocket",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/6977e6098815cd91016be9d76f194ed4622640d03c6cdd66b1032306a2190af7/analysis/; classtype:trojan-activity; sid:51672; rev:1; )
alert udp any 67 -> $HOME_NET 68 ( msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63|"; content:"|27|",distance 0; content:"|23|",within 254; pcre:"/\x63\x82\x53\x63.+?[\x0c-\xfe][\x05-\xff][\x20-\x7f]{0,250}\x27[\x20-\x7f]{3,250}\x23/s"; metadata:policy max-detect-ips drop,ruleset community; service:dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:52022; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; http_uri; content:"_spacertoofee=",fast_pattern,nocase; content:"hondacbrheavy"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/26f541b6e334574311c168af5d84b2d6887115bbff33ae5b45d28b0f66901b87/analysis/; classtype:misc-activity; sid:52026; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; http_uri; content:"_truthcolor=",fast_pattern,nocase; content:"dramafrine"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/en/file/50d0c853da4e7d2226d70e136d6e88e8e3841cc67a85df976d1bdf7084571a60/analysis/; classtype:misc-activity; sid:52027; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert,policy connectivity-ips alert,policy max-detect-ips alert,policy security-ips alert,ruleset community; service:smtp; classtype:misc-activity; sid:52056; rev:3; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|",within 4,distance -64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert,ruleset community; service:ftp-data,http,imap,pop3; classtype:misc-activity; sid:52057; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Js.Trojan.FakeUpdate outbound connection"; flow:to_server,established; content:"POST /1x1.png HTTP/",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/#/file/8035806fc7109137ab55d39046ad9e010597bf5390b2e82740add8d1749edaf3; classtype:trojan-activity; sid:52259; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; flow:to_client,established; isdataat:!12; content:"|7C 30 7C A1 40 23 40 21|",depth 8,offset 3; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52548; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; flow:to_server,established; isdataat:!11; content:"|7C|root|7C|",depth 6,offset 3; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52549; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; http_uri; content:"/vpns/",fast_pattern,nocase; http_raw_header; content:"NSC_USER:"; content:"../",within 10; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:52620; rev:2; )
alert tcp any any -> $HOME_NET 8009 ( msg:"SERVER-APACHE Apache Tomcat AJP connector arbitrary file access attempt"; flow:to_server,established; content:"|12 34|",depth 2; content:"|02|",within 1,distance 2; byte_test:1,!&,0xF9,0,relative; byte_extract:2,1,protocol_len,relative; content:"HTTP",within protocol_len,nocase; content:"javax.servlet.include.request_uri|00|",fast_pattern,nocase; content:"javax.servlet.include.servlet_path|00|",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2020-1938; classtype:attempted-user; sid:53341; rev:2; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_server,established; flowbits:isset,file.doc|file.rtf; file_data; content:"0200000002CE020000000000C000000000000046",fast_pattern,nocase; content:"6269747361646d696e",nocase; metadata:impact_flag red,ruleset community; service:smtp; classtype:trojan-activity; sid:53582; rev:2; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_client,established; flowbits:isset,file.doc|file.rtf; file_data; content:"0200000002CE020000000000C000000000000046",fast_pattern,nocase; content:"6269747361646d696e",nocase; metadata:impact_flag red,ruleset community; service:ftp-data,http,imap,pop3; classtype:trojan-activity; sid:53583; rev:2; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Accept: */*|0D 0A|Referer:",fast_pattern,nocase; http_raw_uri; bufferlen:<6; http_header; content:"Connection: close|0D 0A|Content-Length:"; content:"Cache-Control: no-cache|0D 0A|Origin:"; http_method; content:"POST"; http_client_body; content:"=",depth 10; isdataat:300,relative; content:!"=",distance 0; http_uri; pcre:"/\x2f[a-z0-9]{2,3}\x2f/"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:trojan-activity; sid:53584; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; http_client_body; content:"*dJU!*JE&!M@UNQ@",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/gui/file/d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3/detection; classtype:trojan-activity; sid:54053; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; http_client_body; content:"t34kjfdla45l",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/gui/file/b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba/detection; classtype:trojan-activity; sid:54054; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; http_client_body; content:"_webident_f",fast_pattern,nocase; content:"_webident_s"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,virustotal.com/gui/file/0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e/detection; classtype:trojan-activity; sid:54055; rev:1; )
alert tcp any any -> any any ( msg:"MALWARE-CNC Unix.Malware.Drovorub cnc inbound connection attempt"; flow:established; content:"{|22|children|22|:[{|22|name|22|:",fast_pattern,nocase; content:"|81|",depth 1; content:"|22 2C 22|value|22 3A|",distance 0,nocase; pcre:"/^\x81.{1,9}\x7b\x22children\x22\x3a\x5b\x7b\x22name\x22\x3a\x22[a-z0-9_\x2e]+\x22\x2c\x22value\x22\x3a\x22[a-z0-9\x2b\x2f]+={0,2}\x22\x7d/ims"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:url,media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF; classtype:trojan-activity; sid:54793; rev:1; )
alert tcp any any -> any 88 ( msg:"MALWARE-TOOLS GhostPack Rubeus kerberos request attempt"; flow:to_server,established; content:"|05|",depth 30; content:"|0A|",within 1,distance 4; content:"Z"; content:"|A7 06 02 04 6C 69 6C 00|",within 25; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:kerberos; reference:url,github.com/fireeye/red_team_tool_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; gid:1; sid:56583; rev:2; )
alert udp any any -> any 88 ( msg:"MALWARE-TOOLS GhostPack Rubeus kerberos request attempt"; flow:to_server; content:"|05|",depth 30; content:"|0A|",within 1,distance 4; content:"Z"; content:"|A7 06 02 04 6C 69 6C 00|",within 25; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:kerberos; reference:url,github.com/fireeye/red_team_tool_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; gid:1; sid:56584; rev:2; )
alert tcp any any -> any any ( msg:"MALWARE-TOOLS GhostPack Rubeus kerberos request attempt"; flow:to_server,established; content:"User32LogonProcesss",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:kerberos; reference:url,github.com/fireeye/red_team_tool_countermeasures; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; gid:1; sid:56585; rev:2; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.SSLBeacon variant certificate exchange attempt"; flow:to_client,established; ssl_state:server_hello; content:"ajax.microsoft.com",fast_pattern,nocase; content:"Information Technologies",nocase; content:"Microsoft",nocase; content:"Seattle",nocase; content:"WA",nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:ssl; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56587; rev:1; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record"; flow:to_client; content:"|00 01 00 01|",depth 4,offset 4; content:"|0A|_domainkey",distance 0; content:"|00 00 10 00 01 C0 0C 00 10 00 01 00 00 00 02 01 00 FF|v=DKIM1|5C 3B| p=",distance 0; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:dns; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56592; rev:1; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record"; flow:to_client; content:"|00 01 00 01|",depth 4,offset 4; content:"|03|",within 15; content:"|0A|_domainkey",within 11,distance 3; content:"|00 00 10 00 01 C0 0C 00 10 00 01 00 00 00 02 01 00 FF|v=DKIM1|5C 3B| p="; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:dns; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56593; rev:1; )
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt"; flow:to_client,established; file_data; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ftp-data,http,imap,pop3; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56594; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"MALWARE-BACKDOOR MultiOS.Malware.GORAT malware download attempt"; flow:to_server,established; file_data; content:"aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56595; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt"; flow:to_server,established; http_method; content:"GET"; pkt_data; content:"|0D 0A|Cookie: SID1=",fast_pattern,nocase; http_header; content:!"|0D 0A|Referer:"; content:!"|0D 0A|Accept"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56596; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MultiOS.Malware.GORAT outbound communications attempt"; flow:to_server,established; http_method; content:"POST"; http_header; content:"Connection: upgrade"; content:"|0D 0A|Upgrade: tcp/1|0D 0A|",fast_pattern,nocase; content:!"|0D 0A|Referer:"; content:!"|0D 0A|Accept"; content:!"|0D 0A|Cookie:"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56597; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original inbound connection attempt"; flow:to_client,established; file_data; content:"{|22|meta|22|:{},|22|status|22|:|22|OK|22|,|22|saved|22|:|22|1|22|,|22|starttime|22|:17656184060,|22|id|22|:|22 22|,|22|vims|22|:{|22|dtc|22|:",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56598; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original stager outbound connection attempt"; flow:to_server,established; http_header; content:"Accept: */*"; content:"Accept-Language: en-US"; content:"Accept-Encoding: gzip, deflate"; http_cookie; content:"Cookie: SIDCC=AN0-TYutOSq-fxZK6e4kagm70VyKACiG1susXcYRuxK08Y-rHysliq0LWklTqjtulAhQOPH8uA"; http_uri; content:"/api/v1/user"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56599; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt"; flow:to_server,established; http_header; content:"Accept: */*|0D 0A|"; content:"Accept-Language: en-US|0D 0A|"; content:"Accept-Encoding: gzip, deflate|0D 0A|"; http_uri; pcre:"/(\/check|\/v1\/stats|\/gql|\/1.5\/95648064|\/u\/0\/_\/og\/botguard\/get|\/ev\/\w{3}001001)/i"; file_data; content:"{|22|locale|22|:|22|en|22|,|22|channel|22|:|22|prod|22|,|22|addon|22|:|22|"; content:"ses-"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56600; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original Stager 2 download attempt"; flow:to_client,established; http_header; content:"Content-Type: text/json|0D 0A|"; content:"Server: Microsoft-IIS/10.0|0D 0A|"; content:"X-Powered-By: ASP.NET|0D 0A|"; content:"Cache-Control: no-cache, no-store, max-age=0, must-revalidate|0D 0A|"; content:"Pragma: no-cache|0D 0A|"; content:"X-Frame-Options: SAMEORIGIN|0D 0A|"; content:"Content-Type: image/gif"; file_data; content:"|01 00 01 00 00 02 01 44 00 3B|"; content:"|FF FF FF 21 F9 04 01 00 00 00 2C 00 00 00 00|"; content:"|47 49 46 38 39 61 01 00 01 00 80 00 00 00 00|"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56601; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original Server 3 inbound beacon attempt"; flow:to_client,established; file_data; content:"{|22|alias|22|:|22|apx|22|,|22|prefix|22|:|22 22|,|22|suffix|22|:null,|22|suggestions|22|:[],|22|responseId|22|:|22|15QE9JX9CKE2P|22|,|22|addon|22|: |22|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56602; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Backdoor.CSBundle_Original outbound connection attempt"; flow:to_server,established; http_header; content:"Accept: */*|0D 0A|"; content:"Accept-Language: en-US|0D 0A|"; content:"Accept-Encoding: gzip, deflate|0D 0A|"; http_cookie; content:"display-culture=en|3B|check=true|3B|lbcs=0|3B|sess-id="; content:"|3B|SIDCC=AN0-TY21iJHH32j2m|3B|FHBv3=B"; http_uri; pcre:"/(\/api2|\/en-us|\/gp|\/v1|\/v3|\/v4|\/wp-content|\/wp-includes)/i"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56603; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt"; flow:to_client,established; file_data; content:"{|22|navgd|22|:|22|<div class=gnt_n_dd_ls_w><div class=gnt_n_dd_nt>ONLY AT USA TODAY:</div><div class=gnt_n_dd_ls><a class=gnt_n_dd_ls_a href=https://supportlocal.usatoday.com/",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56605; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Rat.Tool.CSBundleUSATodayServer variant inbound command attempt"; flow:to_client,established; http_header; content:"X-Timer: S1593010188.776402,VS0,VE1",fast_pattern,nocase; content:"Content-Type: application/json|5C 3B| charset=utf-8"; content:"Strict-Transport-Security: max-age=10890000"; content:"Cache-Control: public, immutable, max-age=315360000"; content:"X-Cache: HIT, HIT"; content:"Vary: X-AbVariant, X-AltUrl, Accept-Encoding"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56606; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC potential Rat.Tool.CSBundleUSAToday connectivity check"; flow:to_server,established; http_cookie; content:"gnt_ub=86|5C 3B|gnt_sb=18|5C 3B|usprivacy=1YNY|5C 3B|DigiTrust.v1.identity="; http_header; content:"Host: www.usatoday.com"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56607; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-OTHER Cobalt Strike beacon inbound connection attempt"; flow:to_client,established; file_data; content:"{|22|meta|22|:{},|22|status|22|:|22|OK|22|,|22|saved|22|:|22|1|22|,|22|starttime|22|:17656184060,|22|id|22|:|22 22|,|22|vims|22|:{|22|dtc|22|:|22|",fast_pattern,nocase; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56608; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Cobalt Strike beacon outbound connection attempt"; flow:to_server,established; http_uri; content:"/v1/push"; http_header; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0D 0A|"; content:"{|22|locale|22|:|22|en|22|,|22|channel|22|:|22|prod|22|,|22|addon|22|:|22|",fast_pattern,nocase; content:"cli"; content:"l-"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56609; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Cobalt Strike beacon outbound connection attempt"; flow:to_server,established; http_header; content:"auth=0|5C 3B|loc=US}",fast_pattern,nocase; content:"sess-="; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0D 0A|"; content:"Accept: */*"; http_uri; pcre:"/^\x2f(updates|license\x2feula|docs\x2foffice|software-activation)/i"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56610; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-OTHER Cobalt Strike beacon outbound connection attempt"; flow:to_server,established; http_uri; content:"/notification"; http_header; content:"Accept: */*"; content:"Accept-Encoding: gzip, deflate, br"; content:"Accept-Language: en-US|0D 0A|"; content:"{|22|locale|22|:|22|en|22|,|22|channel|22|:|22|prod|22|,|22|addon|22|:|22|",fast_pattern,nocase; content:"nid"; content:"msg-"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56611; rev:1; )
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt"; flow:to_server,established; http_header; content:"Sec-Fetch-Dest:",nocase; content:"empty",within 10,nocase; http_uri; content:"request_origin=user",fast_pattern,nocase; content:"parent_request_id=",nocase; pcre:"/parent_request_id=[^&\x3B]{128}/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56612; rev:1; )
alert tcp $HOME_NET any -> any $HTTP_PORTS ( msg:"MALWARE-CNC Rat.Tool.FeyeYelp variant outbound beacon attempt"; flow:to_server,established; content:"_gat_global=1",fast_pattern,nocase; http_cookie; content:"_gat_global=1",nocase; content:"recent_locations",nocase; content:"_gat_www=1",nocase; content:"bse=",nocase; pcre:"/bse=[^&\x3B]{128}/i"; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56613; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Cobalt Strike beacon connection attempt"; flow:to_server,established; http_header; content:"client-=",fast_pattern,nocase; content:"Accept-Encoding|3A| gzip, deflate, br"; content:"|5C 3B|auth=1|7D|"; http_uri; pcre:"/^\/v1\/(queue|profile|docs\/wsdl|pull)/i"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56614; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cobalt Strike beacon outbound connection attempt"; flow:to_server,established; content:"nyt-gdpr=0|3B|nyt-purr=cfh|3B|nyt-geo=US}",fast_pattern,nocase; pcre:"/^GET\s(?:\/ads\/google|\/vi-assets\/static-assets|\/v1\/preferences|\/idcta\/translations|\/v2\/preferences)/"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:attempted-user; sid:56615; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Cobalt Strike beacon outbound connection attempt"; flow:to_server,established; content:"{|22|locale|22 3A 22|en|22|,|22|channel|22 3A 22|prod|22|,|22|addon|22 3A 22|",fast_pattern,nocase; pcre:"/^POST\s(?:\/track|\/api\/v1\/survey\/embed|\/svc\/weather\/v2)/"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:attempted-user; sid:56616; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC Cobalt Strike beacon inbound connection attempt"; flow:to_client,established; content:"x-timer: S1580937960.346550,VS0,VE0",fast_pattern,nocase; content:"Cache-Control: public,max-age=31536000"; content:"Server: UploadServer"; content:"Vary: Accept-Encoding, Fastly-SSL"; content:"x-api-version: F-X"; content:"x-Firefox-Spdy: h2"; content:"x-served-by: cache-mdw17344-MDW"; metadata:impact_flag red,policy max-detect-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:attempted-user; sid:56617; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC MultiOS.Malware.GORAT outbound communication attempt"; flow:to_server,established; http_method; content:"POST"; raw_data; content:"|0D 0A 0D 0A|murica",fast_pattern,nocase; http_header; content:!"|0D 0A|Referer:"; content:!"|0D 0A|Accept"; content:!"|0D 0A|Cookie:"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56862; rev:1; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-CNC MultiOS.Malware.GORAT command and control response attempt"; flow:to_client,established; http_header; content:"HTTP/1.",depth 7; raw_data; content:"|0D 0A 0D 0A|murica",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56863; rev:1; )
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any ( msg:"MALWARE-CNC MultiOS.Malware.GORAT command and control SSL certificate"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 03|",depth 3; content:"ACME Shell Co.0"; content:"Z",distance 0; content:"ACME Shell Co.0",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ssl; reference:url,fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56864; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt"; flow:to_server,established; content:"|FE|SMB",depth 4,offset 4; content:"|0B 00|",within 2,distance 8; content:"|70 00 69 00 70 00 65 00 73 00 68 00 65 00 6C 00 6C 00 2D 00 70 00 69 00 70 00 65 00 6E 00 61 00 6D 00 65 00|"; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56891; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 ( msg:"MALWARE-CNC Win.Trojan.BasicPipeShell variant communication attempt"; flow:to_server,established; content:"|FE|SMB",depth 4,offset 4; content:"|05 00|",within 2,distance 8; content:"|70 00 69 00 70 00 65 00 73 00 68 00 65 00 6C 00 6C 00 2D 00 70 00 69 00 70 00 65 00 6E 00 61 00 6D 00 65 00|"; metadata:policy max-detect-ips drop,ruleset community; service:netbios-ssn; reference:url,www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html; classtype:trojan-activity; sid:56892; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; http_uri; content:"/plugins/framework/script/tree.xms",fast_pattern,nocase; content:"WriteToFile",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,9973; classtype:web-application-activity; sid:57067; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-MAIL Microsoft Exchange Server arbitrary file write attempt"; flow:to_server,established; http_uri; content:"/DDIService.svc/SetObject",fast_pattern,nocase; content:"VirtualDirectory",nocase; http_client_body; content:"ExternalUrl",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-27065; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-27065; classtype:attempted-admin; sid:57252; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-MAIL Microsoft Exchange Server arbitrary file write attempt"; flow:to_server,established; http_uri; content:"/DDIService.svc/SetObject",fast_pattern,nocase; content:"VirtualDirectory",nocase; http_client_body; content:"FilePathName",nocase; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-27065; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-27065; classtype:attempted-admin; sid:57253; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER F5 iControl REST interface tm.util.bash invocation attempt"; flow:to_server,established; http_uri; content:"/mgmt/tm/util/bash",fast_pattern,nocase; http_client_body; content:"command",nocase; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-1388; classtype:policy-violation; sid:57336; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.PULSECHECK variant cnc connection"; flow:to_server,established; http_uri; content:"/secid_canceltoken.cgi",fast_pattern,nocase; http_header; content:"X-CMD|3A|",nocase; content:"X-KEY|3A|",nocase; http_method; content:"POST"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57461; rev:1; )
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access"; flow:to_client,established; file_data; content:"Results of |27|"; content:"|27| execution:|0A 0A|",within 260; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57462; rev:1; )
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE webshell variant access"; flow:to_client,established; file_data; content:"<form action=|22 22| method=|22|GET|22|>"; content:"<input type=|22|text|22| name=|22|cmd|22|",distance 0; content:"<input type=|22|text|22| name=|22|serverid|22|",distance 0,fast_pattern; content:"<input type=|22|submit|22| value=|22|Run|22|>",distance 0; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57463; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.HARDPULSE variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/compcheckjava.cgi",fast_pattern,nocase; http_client_body; content:"hashid=",nocase; content:"checkcode=",nocase; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57464; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.STEADYPULSE variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/licenseserverproto.cgi",fast_pattern,nocase; http_client_body; content:"id=",nocase; pcre:"/(^|&)(server)?id=/im"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57465; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/compcheckresult.cgi",fast_pattern,nocase; http_client_body; content:"id=",nocase; pcre:"/(^|&)id=/im"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57466; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/meeting_testmsjava.cgi",fast_pattern,nocase; http_method; content:"POST"; http_client_body; pcre:"/(^|&)(name|img|cert)=/im"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57467; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.SLIGHTPULSE variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/meeting_testjs.cgi",fast_pattern,nocase; http_method; content:"POST"; http_client_body; pcre:"/(^|&)(name|img|cert)=/im"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57468; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Perl.Backdoor.ATRIUM variant inbound cnc connection"; flow:to_server,established; http_uri; content:"/compcheckresult.cgi",fast_pattern,nocase; content:"id=",nocase; pcre:"/[?&]id=/i"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html; classtype:trojan-activity; sid:57541; rev:1; )
alert tcp any any -> $HOME_NET $HTTP_PORTS ( msg:"POLICY-OTHER Active Directory Federation Services policy store transfer service request detected"; flow:to_server,established; http_uri; content:"/adfs/services/policystoretransfer",fast_pattern,nocase; http_method; content:"POST",nocase; metadata:ruleset community; service:http; reference:url,www.fireeye.com/blog/threat-research/2021/04/abusing-replication-stealing-adfs-secrets-over-the-network.html; classtype:misc-activity; sid:57738; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Revil Kaseya ransomware log clearing http upload"; flow:to_server,established; file_data; content:"Server.CreateObject"; content:"KComWExec.execCmd",fast_pattern,nocase; metadata:impact_flag red,policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b; reference:url,www.huntress.com/blog/rapid-response-kaseya-vsa-mass-msp-ransomware-incident; classtype:web-application-attack; sid:57879; rev:2; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt"; flow:to_server,established; http_uri; content:"/autodiscover",fast_pattern,nocase; http_client_body; content:"Email=",nocase; pcre:"/(^|&)Email=[^&]*?(\x2f|%(25)?2f)autodiscover/im"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2021-31207; reference:cve,2021-34473; reference:cve,2021-34523; reference:cve,2022-41040; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34473; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34523; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; gid:1; sid:57906; rev:7; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt"; flow:to_server,established; http_uri; content:"/autodiscover",fast_pattern,nocase; content:"Email=",nocase; pcre:"/[?&]Email=[^&]*?\x2fautodiscover/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2021-31207; reference:cve,2021-34473; reference:cve,2021-34523; reference:cve,2022-41040; reference:cve,2022-41082; reference:cve,2023-21529; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34473; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34523; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-21529; classtype:attempted-admin; gid:1; sid:57907; rev:8; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt"; flow:to_server,established; http_uri; content:"/autodiscover",fast_pattern,nocase; http_client_body; content:"Email",nocase; content:"Content-Disposition",nocase; pcre:"/name\s*=\s*[\x22\x27]?Email((?!^--).)*?[\r\n]{2,}((?!^--).)*?\x2fautodiscover/ims"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2021-31207; reference:cve,2021-34473; reference:cve,2021-34523; reference:cve,2022-41040; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34473; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34523; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; gid:1; sid:57908; rev:7; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt"; flow:to_server,established; http_uri; content:"/autodiscover",fast_pattern,nocase; http_cookie; content:"Email=",nocase; pcre:"/Email=[^\x3b\r\n]*?(\x2f|%(25)?2f)autodiscover/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2021-31207; reference:cve,2021-34473; reference:cve,2021-34523; reference:cve,2022-41040; reference:cve,2022-41082; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31207; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34473; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-34523; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41040; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2022-41082; classtype:attempted-admin; gid:1; sid:57983; rev:6; )
alert http any $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; http_header; content:"Content-Disposition|3A|",nocase; content:"{25336920-03f9-11cf-8fd0-00aa00686f13}"; content:"|2E|",within 50,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-024; classtype:attempted-user; gid:1; sid:58615; rev:2; )
alert http any $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; http_header; content:"Content-Disposition|3A|",nocase; content:"{3050F3D9-98B5-11CF-BB82-00AA00BDCE0B}"; content:"|2E|",within 50,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-024; classtype:attempted-user; gid:1; sid:58616; rev:2; )
alert http any $HTTP_PORTS -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; http_header; content:"Content-Disposition|3A|",nocase; content:"{48123bc4-99d9-11d1-a6b3-00c04fd91555}"; content:"|2E|",within 50,nocase; metadata:policy max-detect-ips drop,ruleset community; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,docs.microsoft.com/en-us/security-updates/SecurityBulletins/2004/ms04-024; classtype:attempted-user; gid:1; sid:58617; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_uri; content:"${jndi:",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58722; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"${jndi:",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58723; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"${lower:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58724; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_uri; content:"${lower:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58725; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"jndi",fast_pattern,nocase; http_cookie; content:"jndi",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58726; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"${jndi:",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58727; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"${lower:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58728; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_uri; content:"${upper:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58729; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"lower",fast_pattern,nocase; http_cookie; content:"lower",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)lower(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58730; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"${upper:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58731; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"upper",fast_pattern,nocase; http_cookie; content:"upper",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)upper(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58732; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"${upper:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58733; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"jndi",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58734; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"lower",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)lower(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58735; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"upper",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)upper(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58736; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"jndi",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58737; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"upper",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)upper(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58738; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"lower",fast_pattern,nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)lower(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58739; rev:5; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%24%7b",fast_pattern,nocase; pcre:"/%24%7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58740; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"${",fast_pattern,nocase; pcre:"/\x24\x7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58741; rev:6; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"${",fast_pattern,nocase; http_uri; content:"|2F|"; http_header; pcre:"/\x24\x7b(jndi|[^\x7d\x80-\xff]*?\x24\x7b[^\x7d\x80-\xff]*?\x3a[^\x7d]*?\x7d)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:cve,2022-20933; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vnESbgBf; classtype:attempted-user; gid:1; sid:58742; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_uri; content:"${",fast_pattern,nocase; pcre:"/\x24\x7b(jndi|[^\x7d\x80-\xff]*?\x24\x7b[^\x7d]*?\x3a[^\x7d]*?\x7d)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58744; rev:6; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"|24 7B|",fast_pattern,nocase; pcre:"/^[\w\x2d\x20]+\x3a[^\r\n]*?\x24\x7b(jndi|lower|upper)\x3a/im"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:smtp; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58751; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%2524%257B",fast_pattern,nocase; pcre:"/%2524%257b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58784; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%24{",fast_pattern,nocase; pcre:"/%24\x7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58785; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%2524{",fast_pattern,nocase; pcre:"/%2524\x7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58786; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%24%257b",fast_pattern,nocase; pcre:"/%24%257b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58787; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"$%7b",fast_pattern,nocase; pcre:"/\x24%7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58788; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"$%257b",fast_pattern,nocase; pcre:"/\x24%257b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58789; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_client_body; content:"%2524%7b",fast_pattern,nocase; pcre:"/%2524%7b.{0,200}(%(25)?24|\x24)(%(25)?7b|\x7b).{0,200}(%(25)?3a|\x3a)(%(25)?(27|2d|5c|22)|[\x27\x2d\x5c\x22])*([jndi\x7d\x3a\x2d]|(%(25)?(7d|3a|2d))|(%(25)?5c|\x5c)u00[a-f0-9]{2}){1,4}(%(25)?(22|27)|[\x22\x27])?(%(25)?(3a|7d)|[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58790; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_header; content:"Authorization: Basic JH",fast_pattern,nocase; content:"Authorization: Basic "; base64_decode:relative; base64_data; pcre:"/\x24\x7b(jndi|lower|upper|.{0,200}\x24\x7b.{0,200}\x3a[\x27\x22\x2d\x5c]*[jndi\x7d\x3a\x2d]{1,4}[\x22\x27]?[\x3a\x7djndi])/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58795; rev:4; )
alert tcp $EXTERNAL_NET [389,1389] -> $HOME_NET any ( msg:"INDICATOR-COMPROMISE JNDI LDAP searchResEntry dynamic code download attempt"; flow:to_client,established; content:"javaClassName",fast_pattern,nocase; content:"javaCodeBase"; content:"objectClass"; content:"javaFactory"; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:ldap; reference:cve,2021-4104; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; reference:url,blog.talosintelligence.com/2021/12/apache-log4j-rce-vulnerability.html; classtype:trojan-activity; sid:58801; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"POLICY-OTHER Java User-Agent remote class download attempt"; flow:to_server,established; http_uri; content:".class",fast_pattern,nocase; http_header; content:"|0D 0A|User-Agent: Java/",nocase; metadata:ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:policy-violation; sid:58814; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 ( msg:"OS-WINDOWS Microsoft Windows Server 2003 smart card authentication buffer overflow attempt"; flow:to_server,established; content:"|03 00|"; content:"|02 F0|",distance 0; content:"|64|",distance 0; content:"|72 44 43 49|"; byte_extract:4,12,msg_size,relative,little; content:"|DC 90 01 08|",within msg_size,fast_pattern; metadata:policy max-detect-ips drop,policy security-ips drop,ruleset community; service:rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:attempted-admin; sid:59502; rev:1; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Multiple products OGNL expression injection attempt"; flow:to_server,established; http_uri; content:".action",nocase; content:"getRuntime"; content:"exec",within 15; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; classtype:attempted-admin; gid:1; sid:59925; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"INDICATOR-COMPROMISE Python remote shell spawn attempt"; flow:to_server,established; http_uri; content:"pty.spawn(|22|/bin/"; content:"sh",within 10; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; classtype:misc-attack; gid:1; sid:59926; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Jsp.Webshell.TinyUploader upload attempt"; flow:to_server,established; content:"java.io.FileOutputStream",fast_pattern,nocase; content:"<%"; content:"request",within 100; content:"write"; content:"getParameter",within 100; isdataat:!600; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59927; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Chopper webshell download attempt"; flow:to_client,established; file_data; content:"DriverManager.getConnection"; content:"ServletOutputStream"; content:"ResultSetMetaData"; content:"request.getParameter"; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59928; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Behinder download attempt"; flow:to_client,established; file_data; content:"<%"; content:"java.util.*"; content:"extends ClassLoader",fast_pattern,nocase; content:"defineClass"; content:"getInstance(|22|AES|22|)"; content:"decodeBuffer",distance 0; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59929; rev:2; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Noop download attempt"; flow:to_client,established; file_data; content:"java.util.*"; content:"java.io.FileOutputStream",distance 0; content:"request.getParameter(|22|name|22|)",within 200,fast_pattern; content:"request.getParameter(|22|contentString|22|)"; isdataat:!300,relative; metadata:impact_flag red,policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59930; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Chopper upload attempt"; flow:to_server,established; content:"DriverManager.getConnection"; content:"ServletOutputStream"; content:"ResultSetMetaData"; content:"request.getParameter"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59931; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Behinder upload attempt"; flow:to_server,established; content:"<%"; content:"java.util.*"; content:"extends ClassLoader",fast_pattern,nocase; content:"defineClass"; content:"getInstance(|22|AES|22|)"; content:"decodeBuffer",distance 0; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59932; rev:2; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"MALWARE-BACKDOOR Jsp.Webshell.Noop upload attempt"; flow:to_server,established; content:"java.util.*"; content:"java.io.FileOutputStream",distance 0; content:"request.getParameter(|22|name|22|)",within 200,fast_pattern; content:"confluence",nocase; content:"request.getParameter(|22|contentString|22|)"; isdataat:!300,relative; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2022-26134; reference:url,community.atlassian.com/t5/Confluence-discussions/CVE-2022-26134-Critical-severity-unauthenticated-remote-code/td-p/20456533; classtype:trojan-activity; gid:1; sid:59933; rev:2; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${",fast_pattern; content:"java",distance 0; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]*?javax?\x2e[^\x7d]*?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59934; rev:3; )
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${",fast_pattern; content:"atlassian.",distance 0; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]*?atlassian\x2e[^\x7d]*?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59941; rev:3; )
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${"; content:"sun.misc.Unsafe",distance 0,fast_pattern; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]*?sun\x2emisc\x2eUnsafe[^\x7d]*?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59947; rev:1; )
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence OGNL expression injection attempt"; flow:to_server,established; http_uri; content:"${"; content:"com.opensymphony.",distance 0,fast_pattern; content:"|28|",distance 0; content:"}",distance 0; pcre:"/\x24\x7b[^\x7d]*?com\x2eopensymphony\x2e(xwork2|webwork)\x2e(Servlet)?ActionContext[^\x7d]*?\x28/i"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-26134; classtype:attempted-user; gid:1; sid:59948; rev:1; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt"; flow:to_server,established; http_uri; content:"autodiscover.json",fast_pattern,nocase; content:"Powershell",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-41040; reference:cve,2022-41082; reference:url,msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/; classtype:attempted-user; gid:1; sid:60642; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Dropper.Gamaredon command and control beacon attempt"; flow:to_server,established; http_uri; bufferlen:8; content:"/log.php"; http_header; content:"Expect: 100-continue"; http_client_body; content:"i",depth 1; pcre:"/^i[\w-]{2,20}=[\w-]{2,50}_\d{2,20}$/"; metadata:impact_flag red,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,www.virustotal.com/gui/file/726e91a882b9c70893cbc4ac2cdfb0ffb80a8b6f58d4cc5bfdd59d60486673fe; classtype:trojan-activity; gid:1; sid:62362; rev:1; )
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence remote code execution attempt"; flow:to_server,established; http_client_body; content:"bootstrapStatusProvider.applicationConfig.setupComplete",fast_pattern,nocase; content:"false",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2023-22515; reference:url,confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html; classtype:attempted-user; gid:1; sid:62506; rev:1; )
alert http ( msg:"SERVER-WEBAPP Atlassian Confluence remote code execution attempt"; flow:to_server,established; http_uri; content:"bootstrapStatusProvider.applicationConfig.setupComplete=",fast_pattern,nocase; content:"false",distance 0,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2023-22515; reference:url,confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html; classtype:attempted-user; gid:1; sid:62507; rev:1; )
alert http ( msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; http_raw_uri; content:"/vpns/",fast_pattern,nocase; pcre:"/vpn.*?(\x2e|%(25)?2e){2}(\x2f|%(25)?2f).*?vpns/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:300001; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt"; flow:to_server,established; http_header; content:"Accept-Encoding:",fast_pattern,nocase; pcre:"/^Accept-Encoding:\x20*[^\r\n]*\x2c[\x20\x09]*\x2c/im"; metadata:ruleset community; service:http; reference:cve,2021-31166; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2021-31166; classtype:attempted-user; sid:300052; rev:1; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${lower:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:300055; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${upper:",fast_pattern,nocase; pcre:"/\x24{(\x24{(upper|lower):j}|j)(\x24{(upper|lower):n}|n)(\x24{(upper|lower):d}|d)(\x24{(upper|lower):i}|i)(\x24{(upper|lower)::}|:)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:300056; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${jndi:",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:300057; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${",fast_pattern,nocase; pcre:"/\x24\x7b.{0,200}\x24\x7b.{0,200}\x3a[\x27\x22\x2d\x5c]*([jndi\x7d\x3a\x2d]|\x5cu00[a-f0-9]{2}){1,4}[\x22\x27]?[\x3a\x7djndi]/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:300058; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; http_cookie; content:"${",fast_pattern,nocase; http_uri; content:"|2F|"; http_cookie; pcre:"/\x24\x7b(jndi|[^\x7d\x80-\xff]*?\x24\x7b[^\x7d]*?\x3a[^\x7d]*?\x7d)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:300061; rev:1; )
alert http $EXTERNAL_NET any -> $HOME_NET any ( msg:"SERVER-WEBAPP F5 BIG-IP iControl remote code execution attempt"; flow:to_server,established; http_header; content:"Connection|3A|",nocase; content:"X-F5-Auth",distance 0,fast_pattern,nocase; pcre:"/^Connection:[^\r\n]*?X-F5-Auth/im"; metadata:policy balanced-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-1388; classtype:attempted-user; gid:1; sid:300131; rev:3; )
alert ssl ( msg:"SERVER-OTHER OpenSSL x509 crafted email address buffer overflow attempt"; flow:established; content:"|06 03 55 1D 1E|"; ber_skip:0x01,optional; ber_data:0x04; ber_data:0x30; ber_data:0xa1; ber_data:0x30; content:"|81 82|",within 2; byte_test:2,>,500,0,relative; content:"xn--",within 4,distance 2,fast_pattern; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-3602; reference:cve,2022-3786; reference:url,blog.talosintelligence.com/openssl-vulnerability/; classtype:attempted-user; gid:1; sid:300306; rev:3; )
alert ssl ( msg:"SERVER-OTHER OpenSSL x509 crafted email address buffer overflow attempt"; flow:established; content:"|06 03 55 1D 1E|"; ber_skip:0x01,optional; ber_data:0x04; ber_data:0x30; ber_data:0xa0; ber_data:0x30; content:"|81 82|",within 2; byte_test:2,>,500,0,relative; content:"xn--",within 4,distance 2,fast_pattern; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; reference:cve,2022-3602; reference:cve,2022-3786; reference:url,blog.talosintelligence.com/openssl-vulnerability/; classtype:attempted-user; gid:1; sid:300307; rev:3; )