attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flags:A+; classtype:bad-unknown; sid:1292; rev:4;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command completed"; content:"Command completed"; nocase; flags:A+; classtype:bad-unknown; sid:494; rev:5;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command error"; content:"Bad command or filename"; nocase; flags:A+; classtype:bad-unknown; sid:495; rev:5;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES file copied ok"; content:"1 file(s) copied"; nocase; flags:A+; classtype:bad-unknown; sid:497; rev:5;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flags:A+; classtype:attempted-recon; sid:1200; rev:6;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES index of /cgi-bin/ response"; flags:A+; content:"Index of /cgi-bin/"; nocase; classtype:bad-unknown; sid:1666; rev:3;) attack-responses.rules:alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES 403 Forbidden"; flags:A+; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:6;) attack-responses.rules:alert ip any any -> any any (msg:"ATTACK RESPONSES id check returned root"; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:3;) attack-responses.rules:alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES oracle one hour install"; flags:A+; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:2;) backdoor.rules:alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;) backdoor.rules:alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flags: A+; content: "|0b 00 00 00 07 00 00 00|Connect"; depth: 16; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; reference:arachnids,483; sid:104; classtype:misc-activity; rev:4;) backdoor.rules:alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flags: A+; content: "|3200000006000000|Drives|2400|"; depth: 16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; sid:105; classtype:misc-activity; rev:4;) backdoor.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; flags: A;reference:arachnids,445; sid:106; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET 16959 -> $HOME_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; content: "PWD"; content:"acidphreak"; nocase; flags: A+; sid:107; classtype:misc-activity; rev:4;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flags: A+; content:"|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:108; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:109; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:110; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:111; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:114; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus"; reference:arachnids,401; sid:115; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|"; reference:arachnids,399; sid:116; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; content: "WHATISIT"; flags: A+; reference:arachnids,315; sid:117; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me."; flags:A+; reference:arachnids,316; sid:118; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: A+; depth: 32; reference:arachnids,312; sid:119; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; content:"|57 48 41 54 49 53 49 54|"; flags:A+; sid:120; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; content:"|46 43 20|"; flags:A+; sid:121; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; sid:125; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; sid:126; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; sid:129; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; sid:131; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; sid:134; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; sid:137; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; sid:140; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flags: A+; content:"host"; sid:141; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40"; reference:arachnids,106; sid:142; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flags: A+; content:"NetSphere"; reference:arachnids,76; sid:146; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flags: A+; content:"GateCrasher";reference:arachnids,99; sid:147; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:148; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; sid:151; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flags: A+; content:"c|3A|\\"; sid:152; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flags: A+; content:"pINg"; sid:153; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flags: A+; content:"NetSphere"; reference:arachnids,76; sid:155; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flags: A+; content:"FTP Port open"; sid:158; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"BACKDOOR NetMetro File List"; flags: A+; content:"|2D 2D|"; reference:arachnids,79; sid:159; classtype:misc-activity; rev:3;) backdoor.rules:#alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags: A+; reference:arachnids,79; classtype:misc-activity; sid:160; rev:2;) backdoor.rules:alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; sid:161; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; sid:162; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|"; reference:arachnids,36; sid:163; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; sid:167; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; sid:168; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; sid:170; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; sid:171; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172; classtype:misc-activity; rev:4;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; sid:174; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; sid:176; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; sid:177; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; sid:179; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; sid:180; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182; classtype:misc-activity; rev:3;) backdoor.rules:alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: >1; reference:arachnids,202; sid:183; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flags:A+; dsize: >1; reference:arachnids,203; sid:184; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; content: "ypi0ca"; nocase; flags: A+; depth: 15; reference:arachnids,263; sid:185; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; sid:186; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; sid:188; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; sid:189; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; sid:190; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; sid:192; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; sid:195; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; sid:196; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; sid:201; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; sid:202; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; sid:203; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; sid:204; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; sid:205; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206; classtype:misc-activity; rev:3;) backdoor.rules:alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flags: A+; content:"phAse"; sid:208; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR w00w00 attempt";flags: A+; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:2;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR attempt"; flags: A+; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC r00t attempt";flags: A+; content:"r00t"; classtype:attempted-admin; sid:211; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC rewt attempt";flags: A+; content:"rewt"; classtype:attempted-admin; sid:212; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt lrkr0x";flags: A+; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit attempt";flags: A+; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC linux rootkit satori attempt";flags: A+; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC sm4ck attempt";flags: A+; content:"hax0r"; classtype:attempted-admin; sid:217; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR MISC solaris 2.5 attempt";flags: A+; content:"friday"; classtype:attempted-user; sid:218; rev:1;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR HidePak backdoor attempt";flags: A+; content:"StoogR"; sid:219; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"BACKDOOR HideSource backdoor attempt";flags: A+; content:"wank"; sid:220; classtype:misc-activity; rev:3;) backdoor.rules:alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; content: "A"; depth: 1; reference:arachnids,314; flags:A+; classtype:attempted-recon; sid:614; rev:2;) bad-traffic.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC tcp port 0 traffic"; sid:524; classtype:misc-activity; rev:3;) bad-traffic.rules:alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC udp port 0 traffic"; sid:525; classtype:misc-activity; rev:4;) bad-traffic.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC data in TCP SYN packet"; flags:S; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526; classtype:misc-activity; rev:4;) bad-traffic.rules:alert ip any any <> 127.0.0.0/8 any (msg:"BAD TRAFFIC loopback traffic"; classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php; sid:528; rev:3;) bad-traffic.rules:alert ip any any -> any any (msg:"BAD TRAFFIC same SRC/DST"; sameip; reference:cve,CVE-1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:3;) bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC ip reserved bit set"; fragbits:R; sid:523; classtype:misc-activity; rev:3;) bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC 0 ttl"; ttl:0; reference:url,www.isi.edu/in-notes/rfc1122.txt; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; sid:1321; classtype:misc-activity; rev:5;) bad-traffic.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:4;) bad-traffic.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; classtype:non-standard-protocol; sid:1627; rev:1;) bad-traffic.rules:# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:2;) bad-traffic.rules:alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:4;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id: 678; itype: 8; content: "1234";reference:arachnids,443; classtype:attempted-recon; sid:221; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(PONGdetected)"; content:"PONG";reference:arachnids,187; classtype:attempted-recon; sid:223; rev:1;) ddos.rules:alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-spoof"; itype: 0; icmp_id: 666; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:1;) ddos.rules:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:1;) ddos.rules:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:1;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"DDOS shaft client to handler"; flags: A+; reference:arachnids,254; classtype:attempted-dos; sid:230; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:2;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00\:Attacker to Master default startup password";flags: A+; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:1;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password";flags: A+; content:"gOrave"; classtype:attempted-dos; sid:234; rev:1;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password";flags: A+; content:"killme"; classtype:bad-unknown; sid:235; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00\:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content: "alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content: "alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:1;) ddos.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:2;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content: "newserver"; classtype:attempted-dos; sid:243; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content: "stream/"; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:244; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent" ; content: "ping"; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:245; rev:1;) ddos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler" ; content: "pong"; classtype:attempted-dos; sid:246; rev:1;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; content: ">"; flags: A+; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:247; rev:1;) ddos.rules:alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; content: ">"; flags: A+;reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:248; rev:1;) ddos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags: S; reference:arachnids,111; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:1;) ddos.rules:alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; content: ">"; flags: A+; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:250; rev:1;) ddos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:1;) dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16; reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:3;) dns.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:2;) dns.rules:alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with ttl\: 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|c0 0c 00 01 00 01 00 00 00 3c 00 04|"; classtype:bad-unknown; sid:254; rev:2;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer"; flags:A+; content: "|00 00 FC|"; offset:13; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:6;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flags:A+; content:"|07|authors"; offset:12; content:"|04|bind"; nocase; offset: 12; reference:arachnids,480; classtype:attempted-recon; sid:1435; rev:2;) dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; content:"|04|bind"; nocase; offset: 12; reference:arachnids,480; classtype:attempted-recon; sid:256; rev:1;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flags:A+; content:"|07|version"; offset:12; content:"|04|bind"; nocase; offset: 12; reference:arachnids,278; classtype:attempted-recon; sid:257; rev:3;) dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; content:"|04|bind"; nocase; offset: 12; reference:arachnids,278; classtype:attempted-recon; sid:1616; rev:1;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flags:A+; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:8;) dns.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|"; classtype:attempted-admin; sid:314; rev:6; reference:cve,CVE-2001-0010; reference:bugtraq,2303;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flags:A+; content:"../../../"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:258; rev:4;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow (ADM)"; flags:A+; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:259; rev:4;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow (ADMROCKS)"; flags:A+; content:"ADMROCKS"; reference:cve,CVE-1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; reference:bugtraq,788; classtype:attempted-admin; sid:260; rev:5;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flags:A+; content:"|CD80 E8D7 FFFF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:4;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flags:A+; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262; rev:3;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flags:A+; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264; rev:3;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)"; flags:A+; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265; rev:3;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 freebsd overflow attempt"; flags:A+; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266; rev:3;) dns.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flags:A+; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|"; classtype:attempted-admin; sid:267; rev:3;) dos.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; fragbits: M; dsize:408; reference:cve,CAN-1999-0345; classtype:attempted-dos; sid:268; rev:2;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; id:3868; seq: 3868; flags:S; reference:cve,CVE-1999-0016; classtype:attempted-dos; sid:269; rev:2;) dos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M; reference:cve,CAN-1999-0015; reference:url,www.cert.org/advisories/CA-1997-28.html; reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:2;) dos.rules:alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,CAN-1999-0635; reference:cve,CVE-1999-0103; classtype:attempted-dos; sid:271; rev:3;) dos.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; content:"|02 00|"; depth: 2; ip_proto: 2; fragbits: M+; reference:cve,CVE-1999-0918; classtype:attempted-dos; sid:272; rev:2;) dos.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; content:"|00 00|"; depth:2; ip_proto:2; fragbits:M+; reference:cve,CVE-1999-0918; classtype:attempted-dos; sid:273; rev:2;) dos.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; content:"+++ath"; nocase; itype: 8; reference:cve,CAN-1999-1228; reference:arachnids,264; classtype:attempted-dos; sid:274; rev:2;) dos.rules:alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; seq: 6060842; id: 413; reference:cve,CAN-2000-1039; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.asp; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:4;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flags:A+; content: "|fff4 fffd 06|"; reference:bugtraq,1288; reference:cve,CVE-2000-0474; reference:arachnids,411; classtype:attempted-dos; sid:276; rev:2;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flags:A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; reference:bugtraq,1288; classtype:attempted-dos; sid:277; rev:3;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flags:A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; reference:bugtraq,1288; classtype:attempted-dos; sid:278; rev:3;) dos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,CVE-2000-0221; classtype:attempted-dos; sid:279; rev:2;) dos.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content: "|4e 41 4d 45 4e 41 4d 45|"; offset: 25; depth: 50; reference:bugtraq,714; reference:cve,CVE-1999-0060; reference:arachnids,262; classtype:attempted-dos; sid:281; rev:2;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flags:A+; dsize:>1445; reference:bugtraq,662; reference:cve,CVE-1999-0788; reference:arachnids,261; classtype:attempted-dos; sid:282; rev:4;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS Winnuke attack"; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153; classtype: attempted-dos; sid:1257; rev:3;) dos.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flags:A+; dsize:>1023; reference:bugtraq,4006; classtype:attempted-dos; sid:1408; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:3;) exploit.rules:#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT netscape 4.7 client overflow"; flags:A+; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,215; classtype:attempted-user; sid:283; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|eb2c 5b89 d980 c106 39d9 7c07 8001|"; classtype:attempted-admin; sid:284; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"EXPLOIT pop2 x86 linux overflow"; flags:A+; content:"|ffff ff2f 4249 4e2f 5348 00|"; classtype:attempted-admin; sid:285; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 linux samba overflow"; flags:A+; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|"; reference:bugtraq,1816; reference:cve,CVE-1999-0811; reference:cve,CVE-1999-0182; classtype:attempted-admin; sid:292; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 solaris overflow"; flags:A+; content:"|eb23 5e33 c088 46fa 8946 f589 36|"; classtype:attempted-admin; sid:300; reference:bugtraq,2319; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flags:A+; content: "|43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A|"; reference:cve,CVE-2000-0917; reference:bugtraq,1712; classtype:attempted-admin; sid:301; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT redhat 7.0 lprd overflow"; flags:A+; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|"; classtype:attempted-admin; sid:302; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT sco calserver overflow"; flags:A+; content:"|eb7f 5d55 fe4d 98fe 4d9b|"; reference:cve,CVE-2000-0306; reference:bugtraq,2353; classtype:attempted-admin; sid:304; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flags:A+; content: "whois|3a|//"; nocase; dsize: >1000; reference:arachnids,267; classtype:attempted-admin; sid:305; reference:bugtraq,808; reference:cve,CVE-2000-0165; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flags:A+; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,CAN-2000-0766; classtype:attempted-admin; sid:306; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"EXPLOIT NextFTP client overflow"; flags:A+; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|"; reference:bugtraq,572; reference:cve,CVE-1999-0671; classtype:attempted-user; sid:308; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT sniffit overflow"; flags: A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512; reference:bugtraq,1158; reference:cve,CAN-2000-0343; reference:arachnids,273; classtype:attempted-admin; sid:309; rev:2;) exploit.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flags:A+; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,2312; reference:cve,CVE-1999-0404; classtype:attempted-admin; sid:310; rev:4;) exploit.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT netscape 4.7 unsucessful overflow"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags:A+; reference:cve,CVE-2000-1187; reference:bugtraq,822; reference:arachnids,214; classtype:unsuccessful-user; sid:311; rev:5;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize: >128; reference:arachnids,492; reference:bugtraq,2540; classtype:attempted-admin; sid:312; rev:2;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 linux overflow"; content:"|0103 0000 0000 0001 0002 02e8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:2;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|5eb0 0289 06fe c889 4604 b006 8946|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:315; rev:2;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:2;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 linux mountd overflow"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:317; rev:2;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overflow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:2; reference:bugtraq,324; reference:cve,CVE-1999-0914;) exploit.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:1;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flags:A+; content:"|0131 DBCD 80E8 5BFF FFFF|"; reference:bugtraq,1252; reference:cve,CVE-2000-0446; classtype:attempted-admin; sid:1240; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT aix pdnsd overflow"; flags:A+; content:"|7FFF FB78 7FFF FB78 7FFF FB78 7FFF FB78|"; content:"|408A FFC8 4082 FFD8 3B36 FE03 3B76 FE02|"; dsize:>1000; reference:cve,CVE-1999-0745; reference:bugtraq,3237; classtype:attempted-user; sid:1261; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flags:A+; content:"-soa %p"; reference:cve,CAN-2001-0838; reference:bugtraq,3474; classtype:misc-attack; sid:1323; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flags:A+; content:"1"; offset:10; depth:1; content:!"000"; offset:11; depth:3; reference:cve,CAN-2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:5;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flags:A+; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; classtype:misc-attack; reference:cve,CAN-2002-0084; reference:bugtraq,4631; sid:1751; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flags:A+; content:"|E8 C0FF FFFF|/bin/sh"; classtype:attempted-admin; sid:293; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flags:A+; content:"|89d8 40cd 80e8 c8ff ffff|/";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:295; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flags:A+; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:296; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flags:A+; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:297; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flags:A+; content:"|eb38 5e89f389d880460120804602|"; reference:bugtraq,130; reference:cve,CVE-1999-0005; classtype:attempted-admin; sid:298; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flags:A+; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; flags:A+; content:" x PARTIAL 1 BODY["; dsize:>1092; reference:bugtraq,4713; classtype:misc-attack; sid:1780; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body attempt"; flags:A+; content:" PARTIAL "; content:" BODY"; classtype:protocol-command-decode; sid:1755; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flags:A+; dsize:>500; content:"PASS "; nocase; reference:cve,CAN-1999-1511; classtype:attempted-admin; sid:1634; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flags:A+; dsize:>500; content:"APOP "; nocase; reference:cve,CAN-2000-0841; classtype:attempted-admin; sid:1635; rev:3;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 bsd overflow"; flags:A+; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|"; classtype:attempted-admin; sid:286; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 bsd overflow"; flags:A+; content:"|685d 5eff d5ff d4ff f58b f590 6631|"; classtype:attempted-admin; sid:287; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 linux overflow"; flags:A+; content:"|d840 cd80 e8d9 ffff ff|/bin/sh"; classtype:attempted-admin; sid:288; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 sco overflow"; flags:A+; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|"; classtype:attempted-admin; sid:289; rev:4;) exploit.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flags:A+; content:"|E8 D9FF FFFF|/bin/sh"; reference:bugtraq,830; reference:cve,CAN-1999-0822; classtype:attempted-admin; sid:290; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flags:A+; content:"cmd_rootsh"; classtype:attempted-admin; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; sid:320; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flags:A+; content:"a b c d e f"; nocase; classtype:attempted-recon; sid:321; rev:4;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flags:A+; content:"search"; reference:cve,CVE-1999-0259; reference:arachnids,375; classtype:attempted-recon; sid:322; rev:7;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flags:A+; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:4;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flags:A+; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:4;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command \; execution attempt"; flags:A+; content:"|3b|"; reference:cve,CVE-1999-0150; reference:bugtraq,974; reference:arachnids,379; classtype:attempted-user; sid:326; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flags:A+; content:"|7c|"; reference:cve,CVE-1999-0152; reference:bugtraq,2220; reference:arachnids,380; classtype:attempted-user; sid:327; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flags:A+; content:"@@"; reference:arachnids,381; reference:cve,CAN-1999-0106; classtype:attempted-dos; sid:328; rev:5;) finger.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; flags:A+; content: "@localhost|0A|"; dsize:11; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; content: "@"; flags:A+; reference:arachnids,251; reference:cve,CAN-1999-0105; classtype:attempted-recon; sid:330; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; content: "|0A| "; flags:A+; depth: 10; reference:arachnids,132; reference:cve,CVE-1999-0612; classtype:attempted-recon; sid:331; rev:5;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flags:A+; content:"0"; reference:arachnids,378; reference:arachnids,131; reference:cve,CAN-1999-0197; classtype:attempted-recon; sid:332; rev:4;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flags:A+; content:"."; reference:arachnids,130; reference:cve,CAN-1999-0198; classtype:attempted-recon; sid:333; rev:4;) finger.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flags:A+; content:"version"; classtype:attempted-recon; sid:1541; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT stat overflow"; flags:A+; dsize:>1000; content:"stat "; nocase; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flags:A+; content:"STAT "; nocase; content:"*"; reference:bugtraq,4482; classtype:attempted-dos; sid:1777; rev:1;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flags:A+; content:"STAT "; nocase; content:"?"; reference:bugtraq,4482; classtype:attempted-dos; sid:1778; rev:1;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flags:A+; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flags:A+; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; content:"CWD "; content:" ~root"; nocase; flags:A+; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336; rev:5;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT aix overflow";flags:A+; dsize:>1300; content:"CEL "; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flags:A+; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flags:A+; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flags:A+; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flags:A+; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flags:A+; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flags:A+; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343; rev:5;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flags:A+; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flags:A+; content:"SITE EXEC %p"; nocase; depth:16; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; classtype:attempted-admin; sid:345; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flags:A+; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flags:A+; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flags:A+; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flags:A+; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flags:A+; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flags:A+; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flags:A+; content:"PASS ddd@|0a|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flags:A+; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flags:A+; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flags:A+; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flags:A+; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flags:A+; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flags:A+; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flags:A+; content: ".%20."; nocase; reference:bugtraq,2025; reference:cve,CVE-2001-0054; classtype:bad-unknown; sid:360; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec"; flags:A+; content:"site "; nocase; content:" exec "; offset:4; nocase; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361; rev:6;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flags:A+; content:"RETR "; nocase; content:" --use-compress-program"; nocase; reference:bugtraq,2240; reference:arachnids,134; reference:cve,CVE-1999-0202; classtype:bad-unknown; sid:362; rev:6;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flags:A+; content:"CWD "; content:" ..."; classtype:bad-unknown; sid:1229; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt ["; flags:A+; content:"~"; content:"["; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1377; rev:7;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt {"; flags:A+; content:"~"; content:"{"; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1378; rev:7;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flags:A+; content:"USER w0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:suspicious-login; rev:6;) ftp.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access"; flags:A+; content:"RETR "; nocase; content:"file_id.diz"; nocase; classtype:misc-activity; sid:1445; rev:2;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"STOR 1MB\" possible warez site"; flags:A+; content:"STOR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:543; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"RETR 1MB\" possible warez site"; flags:A+; content:"RETR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:544; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD /\" possible warez site"; flags:A+; content:"CWD / "; nocase; depth: 6; classtype:misc-activity; sid:545; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD \" possible warez site"; flags:A+; content:"CWD "; nocase; depth: 5; classtype:misc-activity; sid:546; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD \" possible warez site"; flags:A+; content:"MKD "; nocase; depth: 5; classtype:misc-activity; sid:547; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD . \" possible warez site"; flags:A+; content:"MKD ."; nocase; depth: 5; classtype:misc-activity; sid:548; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD / \" possible warez site"; flags:A+; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554; rev:5;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; content:"CWD "; content:" ~|0A|"; flags:A+; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672; rev:2;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; content:"CWD "; content:" ~|0D0A|"; flags:A+; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1728; rev:2;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; content:"CWD "; content:" ...."; flags:A+; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:1;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT CMD overflow"; flags:A+; dsize:>150; content:"CMD "; nocase; classtype:attempted-admin; sid:1621; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT SITE CHOWN overflow"; flags:A+; dsize:>500; content:"SITE CHOWN "; nocase; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1529; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flags:A+; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flags:A+; content:"MODE "; nocase; content:!"A"; nocase; content:!"S"; nocase; content:!"C"; nocase; classtype:protocol-command-decode; sid:1623; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flags:A+; content:"PWD"; nocase; dsize:10; classtype:protocol-command-decode; sid:1624; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flags:A+; content:"SYST"; nocase; dsize:10; classtype:protocol-command-decode; sid:1625; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flags:A+; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:4;) ftp.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flags:A+; dsize:>100; reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT CWD overflow"; flags:A+; dsize:>200; content:"CWD "; nocase; classtype:attempted-admin; sid:1630; rev:3;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flags:A+; dsize:>500; content:"SITE "; nocase; content:" CHOWN "; nocase; reference:cve,CAN-2000-0479; classtype:attempted-admin; sid:1562; rev:4;) ftp.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flags:A+; dsize:>100; content:"USER "; nocase; reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:4;) icmp-info.rules:# that will alert on unknown ICMP types. icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement";itype:9; reference:bugtraq,578; reference:cve,CVE-1999-0875; reference:arachnids,173; sid:363; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection";itype:10; reference:bugtraq,578; reference:cve,CVE-1999-0875; reference:arachnids,174; sid:364; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:32; sid:366; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; sid:368; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype: 8; content:"|0102030405060708090a0b0c0d0e0f|"; depth:32; reference:arachnids,438; reference:arachnids,444; sid:369; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:32; reference:arachnids,151; sid:370; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:32; reference:arachnids,153; sid:371; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|"; itype:8; depth:32; reference:arachnids,155; sid:372; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|0102030405060708090a0b0c0d0e0f10|"; depth:32; reference:arachnids,156; sid:373; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|"; itype:8; depth:32; reference:arachnids,157; sid:374; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; itype:8; id:13170; reference:arachnids,447; sid:375; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; content:"|303132333435363738396162636465666768696a6b6c6d6e6f70|"; itype:8; depth:32; reference:arachnids,159; sid:376; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:32; reference:arachnids,161; sid:377; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; content:"|4f4d 6574 6572 4f62 6573 6541 726d 6164|"; itype:8; depth:32; reference:arachnids,164; sid:378; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; content:"|44617461000000000000000000000000|"; itype:8; depth:32; reference:arachnids,163; sid:379; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; content:"|88042020202020202020202020202020|"; itype:8; depth:32; reference:arachnids,166; sid:380; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; sid:381; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 16; reference:arachnids,169; sid:382; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; itype: 8; icode: 0; sid:384; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ";ttl:1;itype:8; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:2;) icmp-info.rules:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; itype: 18; icode: 0; sid:386; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18; sid:387; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0; sid:388; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request (Undefined Code!)"; itype: 17; sid:389; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; itype: 6; icode: 0; sid:390; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address (Undefined Code!)"; itype: 6; sid:391; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; itype: 31; icode: 0; sid:392; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error (Undefined Code!)"; itype: 31; sid:393; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Destination Host Unknown)"; itype: 3; icode: 7; sid:394; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Destination Network Unknown)"; itype: 3; icode: 6; sid:395; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)"; itype: 3; icode:4; sid:396; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Host Precedence Violation)"; itype: 3; icode: 14; sid:397; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Host Unreachable for Type of Service)"; itype: 3; icode: 12; sid:398; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Host Unreachable)"; itype: 3; icode: 1; sid:399; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Network Unreachable for Type of Service)"; itype: 3; icode:11; sid:400; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Network Unreachable)"; itype: 3; icode: 0; sid:401; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Port Unreachable)"; itype: 3; icode: 3; sid:402; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Precedence Cutoff in effect)"; itype: 3; icode: 15; sid:403; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Protocol Unreachable)"; itype: 3; icode: 2; sid:404; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Source Host Isolated)"; itype: 3; icode: 8; sid:405; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Source Route Failed)"; itype: 3; icode: 5; sid:406; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Undefined Code!)"; itype: 3; sid:407; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; itype: 0; icode: 0; sid:408; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply (Undefined Code!)"; itype: 0; sid:409; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; itype: 11; icode: 1; sid:410; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; itype: 34; icode: 0; sid:411; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here (Undefined Code!"; itype: 34; sid:412; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; itype: 33; icode: 0; sid:413; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You (Undefined Code!)"; itype: 33; sid:414; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; itype: 16; icode: 0; sid:415; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply (Undefined Code!)"; itype: 16; sid:416; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; itype: 15; icode: 0; sid:417; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request (Undefined Code!)"; itype: 15; sid:418; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; itype: 32; icode: 0; sid:419; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect (Undefined Code!)"; itype: 32; sid:420; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; itype: 36; icode: 0; sid:421; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply (Undefined Code!)"; itype: 36; sid:422; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; itype: 35; icode: 0; sid:423; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request (Undefined Code!"; itype: 35; sid:424; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Bad Length)"; itype: 12; icode: 2; sid:425; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Missing a Requiered Option)"; itype: 12; icode: 1; sid:426; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Unspecified Error)"; itype: 12; icode: 0; sid:427; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Undefined Code!)"; itype: 12; sid:428; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Reserved)"; itype: 40; icode: 0; sid:429; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Unknown Security Parameters Index)"; itype: 40; icode: 1; sid:430; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Valid Security Parameters, But Authentication Failed)"; itype: 40; icode: 2; sid:431; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Valid Security Parameters, But Decryption Failed)"; itype: 40; icode: 3; sid:432; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Undefined Code!)"; itype: 40; sid:433; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect (for TOS and Host)"; itype: 5; icode: 3; sid:436; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect (for TOS and Network)"; itype: 5; icode: 2; sid:437; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect (Undefined Code!)"; itype: 5; sid:438; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security (Type 19)"; itype: 19; icode: 0; sid:439; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security (Type 19) (Undefined Code!)"; itype: 19; sid:440; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisment"; itype: 9; icode: 0; reference:arachnids,173; sid:441; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; itype: 10; icode: 0; reference:arachnids,174; sid:443; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; itype: 39; icode: 0; sid:445; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP (Undefined Code!"; itype: 39; sid:446; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench (Undefined Code!)"; itype: 4; sid:448; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; itype: 11; icode: 0; sid:449; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Time-To-Live Exceeded in Transit (Undefined Code!)"; itype: 11; sid:450; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; itype: 14; icode: 0; sid:451; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply (Undefined Code!)"; itype: 14; sid:452; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; itype: 13; icode: 0; sid:453; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request (Undefined Code!)"; itype: 13; sid:454; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; sid:455; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; itype: 30; icode: 0; sid:456; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute (Undefined Code!)"; itype: 30; sid:457; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 1)"; itype: 1; icode: 0; sid:458; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 1) (Undefined Code)"; itype: 1; sid:459; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 2)"; itype: 2; icode: 0; sid:460; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 2) (Undefined Code)"; itype: 2; sid:461; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 7)"; itype: 7; icode: 0; sid:462; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Unassigned! (Type 7) (Undefined Code!)"; itype: 7; sid:463; classtype:misc-activity; rev:4;) icmp-info.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING (Undefined Code!)"; itype: 8; sid:365; classtype:misc-activity; rev:4;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize: 20; itype: 8; icmp_id: 0; icmp_seq: 0; content: "|0000000000000000000000000000000000000000|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; id: 666; dsize: 0; itype: 8; icmp_id: 666 ; icmp_seq: 0; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host";itype:5;icode:1; reference:arachnids,135; reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:472; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net";itype:5;icode:0; reference:arachnids,199; reference:cve,CVE-1999-0265; classtype:bad-unknown; sid:473; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; content:"|0000000000000000|"; itype: 8; dsize:8; classtype:attempted-recon; sid:474; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"; itype: 8; icode: 0; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; itype: 4; icode: 0; classtype:bad-unknown; sid:477; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; itype: 8; icmp_id: 0; icmp_seq: 0; dsize:4; classtype:attempted-recon; sid:478; rev:1;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; sid:480; classtype:misc-activity; rev:2;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; content:"|544a 5069 6e67 5072 6f20 6279 204a 696d|";itype:8;depth:32; reference:arachnids,167; sid:481; classtype:misc-activity; rev:2;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; content:"|5768 6174 7355 7020 2d20 4120 4e65 7477|";itype:8;depth:32; reference:arachnids,168; sid:482; classtype:misc-activity; rev:2;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"|43696e636f204e6574776f726b2c20496e632e|"; depth:32; sid:484; classtype:misc-activity; rev:2;) icmp.rules:alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication Administratively Prohibited)"; itype: 3; icode: 13; sid:485; classtype:misc-activity; rev:2;) icmp.rules:alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"; itype: 3; icode: 10; sid:486; classtype:misc-activity; rev:2;) icmp.rules:alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"; itype: 3; icode: 9; sid:487; classtype:misc-activity; rev:2;) icmp.rules:alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize: >800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:3;) info.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase; flags:A+; classtype:unknown; sid:488; rev:3;) info.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "pass |0d|"; nocase; reference:arachnids,322; flags:A+; classtype:unknown; sid:489; rev:4;) info.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"INFO battle-mail traffic"; content:"BattleMail"; flags:A+; classtype:unknown; sid:490; rev:4;) info.rules:alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flags:A+; classtype:bad-unknown; sid:491; rev:4;) info.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login failed"; nocase; flags:A+; classtype:bad-unknown; sid:492; rev:5;) info.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; content: "Login incorrect"; nocase; flags:A+; classtype:bad-unknown; sid:1251; rev:4;) info.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; content:"Welcome!psyBNC@lam3rz.de"; flags:A+; classtype:bad-unknown; sid:493; rev:4;) local.rules:# alert tcp any any -> any any (msg: "wee"; ) misc.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,418; classtype:bad-unknown; sid:500; rev:2;) misc.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:bugtraq,646; reference:cve,CVE-1999-0909; reference:arachnids,420; classtype:bad-unknown; sid:501; rev:2;) misc.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts: ssrr ;reference:arachnids,422; classtype:bad-unknown; sid:502; rev:1;) misc.rules:alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:2;) misc.rules:alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:2;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; content: "|05 00 3E|"; flags:A+; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flags:A+; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flags:A+; content:"ftp|3a|"; nocase; content: "@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:5;) misc.rules:alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flags:A+; content:"Invalid login"; depth: 16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:3;) misc.rules:alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA; reference:arachnids,129; reference:cve,CVE-1999-0430; classtype:bad-unknown; sid:513; rev:3;) misc.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flags:A+; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:4;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"|2b 06 10 40 14 d1 02 19|"; classtype:attempted-recon; sid:516; rev:2;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content: "|00 01 00 03 00 01 00|";reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize: >4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:1;) misc.rules:alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; fragbits:M; dsize: < 25; classtype:bad-unknown; sid:522; rev:1;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP malformed advertisement"; content:"NOTIFY * "; nocase; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1384; rev:2;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPNP Location overflow"; content:"|0d|Location|3a|"; nocase; dsize:>500; classtype:misc-attack; reference:cve,CAN-2001-0876; reference:cve,CAN-2001-0877; sid:1388; rev:1;) misc.rules:alert tcp [64.12.163.0/24,205.188.9.0/24] any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flags:A+; content:"aim\:AddGame?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; reference:bugtraq,3769; reference:cve,CAN-2002-0005; classtype:misc-attack; sid:1393; rev:8;) misc.rules:alert tcp [64.12.163.0/24,205.188.9.0/24] any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flags:A+; content:"aim\:AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:2;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flags:A+; content:"|0A 00 00 01 85 04 00 00 80 72 6F 6F 74 00|"; classtype:protocol-command-decode; sid:1775; rev:1;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flags:A+; content:"|0f 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:1;) misc.rules:alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; content:"200 "; offset:0; dsize:>100; reference:bugtraq,4900; classtype:protocol-command-decode; sid:1792; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flags:A+; dsize:>500; content:"AUTHINFO USER "; nocase; reference:cve,CAN-2000-0341; classtype:attempted-admin; sid:1538; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; flags:A+; content: "AUTHINFO USER"; nocase; dsize: >512; depth: 16; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-user; sid:291; rev:5;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flags:A+; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data\(command=version\) attempt"; flags:A+; content:"connect_data\(command=version\)"; nocase; classtype:protocol-command-decode; sid:1674; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flags:A+; content:"description=\("; nocase; content:!"connect_data=\(sid="; nocase; content:!"address=\(protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flags:A+; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flags:A+; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like \"%\" attempt"; flags:A+; content:" where "; nocase; content:" like \"%\""; nocase; classtype:protocol-command-decode; sid:1678; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flags:A+; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flags:A+; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flags:A+; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flags:A+; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flags:A+; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flags:A+; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flags:A+; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1685; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flags:A+; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flags:A+; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flags:A+; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flags:A+; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flags:A+; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flags:A+; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flags:A+; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flags:A+; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1693; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flags:A+; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flags:A+; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flags:A+; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:3;) misc.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flags:A+; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:3;) misc.rules:alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flags:A+; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; nocase; offset:30; depth:70; classtype:successful-recon-limited; sid:1760; rev:2;) misc.rules:alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flags:A+; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; nocase; offset:30; depth:70; classtype:successful-recon-limited; sid:1761; rev:2;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; content: "|00 67 00 01 00 03|"; offset:0; depth:6; flags:A+; classtype:bad-unknown; sid:1629; rev:3;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:url,www.cert.org/advisories/CA-2002-03.html; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; classtype:misc-attack; sid:1409; rev:3;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt (with evasion)"; content:" | 04 82 01 00 |"; offset: 7; depth: 5; reference:url,www.cert.org/advisories/CA-2002-03.html; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; classtype:misc-attack; sid:1422; rev:2;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1411; rev:2; classtype:attempted-recon;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flags:A+; content:"public"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1412; classtype:attempted-recon; rev:4;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1413; rev:2; classtype:attempted-recon;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flags:A+; content:"private"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1414; classtype:attempted-recon; rev:4;) misc.rules:alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1415; rev:2; classtype:attempted-recon;) misc.rules:alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1416; rev:2; classtype:attempted-recon;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1417; rev:2; classtype:attempted-recon;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1418; rev:2; classtype:attempted-recon;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1419; rev:2; classtype:attempted-recon;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1420; rev:2; classtype:attempted-recon;) misc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1421; rev:2; classtype:attempted-recon;) misc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content: "|30 26 02 01 00 04 06 70 75 62 6C 69 63 A0 19 02 01 00 02 01 00 02 01 00 30 0E 30 0C 06 08 2B 06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:3;) misc.rules: alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"|30 38 02 01 00 04 06 70 75 62 6C 69 63 A4 2B 06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:3;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:6;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:6;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flags:A+; content: "|5C 00 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|";reference:arachnids,454; classtype:attempted-dos; sid:529; rev:5;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flags:A+; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"; reference:bugtraq,1163; reference:cve,CVE-2000-0347; reference:arachnids,204; classtype:attempted-recon; sid:530; rev:7;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flags:A+; content:"BEAVIS"; content:"yep yep"; classtype:attempted-recon; sid:1239; rev:5;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$access"; flags:A+; content:"\\ADMIN$|00 41 3a 00|"; reference:arachnids,340; classtype:attempted-admin; sid:532; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ access"; flags:A+; content: "|5c|C$|00 41 3a 00|";reference:arachnids,339; classtype:attempted-recon; sid:533; rev:5;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flags:A+; content:"\\..|2f 00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flags:A+; content:"\\...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$access"; flags:A+; content:"\\D$|00 41 3a 00|"; reference:arachnids,336; classtype:attempted-recon; sid:536; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$access"; flags:A+; content:"\\IPC$|00 41 3a 00|"; reference:arachnids,335; classtype:attempted-recon; sid:537; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$access"; flags:A+; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|"; reference:arachnids,334; classtype:attempted-recon; sid:538; rev:4;) netbios.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flags:A+; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:4;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; content:"USER"; nocase; content:" anonymous|0D0A|"; nocase; flags:A+; classtype:misc-activity; sid:553; rev:4;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous (ftp) login attempt"; content:"USER"; nocase; content:" ftp|0D0A|"; nocase; flags:A+; classtype:misc-activity; sid:1449; rev:3;) policy.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; content:"WinGate>"; flags:A+; reference:arachnids,366; reference:cve,CAN-1999-0657; classtype:misc-activity; sid:555; rev:4;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flags:A+; content:"RFB 003.003"; depth:12; classtype:misc-activity; sid:560; rev:4;) policy.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth: 2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:3;) policy.rules:alert tcp $SMTP 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flags:A+; content: "550 5.7.1"; depth:70; reference:url,mail-abuse.org/tsi/ar-fix.html; reference:arachnids,249; classtype:misc-activity; sid:567; rev:8;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flags:A+; content:"@PJL RDYMSG DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245; reference:arachnids,302; sid:568; rev:5;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flags:A+; content:"@PJL RDYMSG DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245; reference:arachnids,302; sid:510; rev:5;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat access"; flags:A+; content:"text/plain"; depth:100; classtype:misc-activity; sid:540; rev:6;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flags:A+; content: "User-Agent\:ICQ"; classtype:misc-activity; sid:541; rev:6;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flags:A+; content: "NICK "; offset:0; classtype:misc-activity; sid:542; rev:8;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flags:A+; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC SEND"; nocase; classtype:misc-activity; sid:1639; rev:3;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flags:A+; content:"PRIVMSG "; nocase; offset:0; content:" \:.DCC CHAT chat"; nocase; classtype:misc-activity; sid:1640; rev:3;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flags:A+; content:"JOIN \: \#"; nocase; offset:0; classtype:misc-activity; sid:1729; rev:2;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flags:A+; content:"PRIVMSG "; nocase; offset:0; classtype:misc-activity; sid:1463; rev:3;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flags:A+; content:"USERHOST "; nocase; offset:0; classtype:misc-activity; sid:1789; rev:1;) policy.rules:alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flags:A+; content:"\:"; offset:0; content:" 302 "; content:"=+"; classtype:misc-activity; sid:1790; rev:2;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"CHAT IRC EXPLOIT topic overflow"; flags:A+; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; sid:307; rev:5;) policy.rules:alert tcp any any -> any 6666:7000 (msg:"CHAT IRC EXPLOIT Ettercap parse overflow attempt"; flags:A+; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; dsize:>200; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:5;) policy.rules:alert tcp $HOME_NET any -> [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] any (msg:"CHAT AIM login"; flags:A+; content:"|2a 01|"; offset:0; depth:2; classtype:policy-violation; sid:1631; rev:3;) policy.rules:alert tcp $HOME_NET any -> [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] any (msg:"CHAT AIM send message"; flags:A+; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 06|"; offset:6; depth:4; classtype:policy-violation; sid:1632; rev:3;) policy.rules:alert tcp [64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24] any -> $HOME_NET any (msg:"CHAT AIM recieve message"; flags:A+; content:"|2a 02|"; offset:0; depth:2; content:"|00 04 00 07|"; offset:6; depth:4; classtype:policy-violation; sid:1633; rev:2;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flags:A+; content:"User-Agent\: Quicktime"; classtype:policy-violation; sid:1436; rev:2;) policy.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flags:A+; content:"Content-type\: audio/x-ms-wma\r\n"; classtype:policy-violation; sid:1437; rev:2;) policy.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flags:A+; content:"Content-type\: video/x-ms-asf\r\n"; classtype:policy-violation; sid:1438; rev:2;) policy.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flags:A+; content:"Content-type\: audio/x-scpls\r\n"; classtype:policy-violation; sid:1439; rev:2;) policy.rules:alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flags:A+; content:"Content-type\: audio/x-mpegurl\r\n"; classtype:policy-violation; sid:1440; rev:2;) policy.rules:alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flags:A+; content:"|45 5F 00 03 05|"; offset:0; depth:5; classtype:misc-activity; sid:1428; rev:3;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flags:A+; content:"|00 0200|"; offset:1; depth:3; classtype:misc-activity; sid:549; rev:5;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flags:A+; content:"|00 0600|"; offset:1; depth:3; classtype:misc-activity; sid:550; rev:5;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flags:A+; content:"|00 cb00|"; offset:1; depth:3; classtype:misc-activity; sid:551; rev:4;) policy.rules:alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flags:A+; content:"|00 5f02|"; offset:1; depth:3; classtype:misc-activity; sid:552; rev:4;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET !80 (msg:"P2P GNUTella GET"; flags:A+; content:"GET "; offset:0; depth:4; classtype:misc-activity; sid:1432; rev:3;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flags:A+; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:556; rev:4;) policy.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flags:A+; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:557; rev:5;) policy.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flags:A+; content:".mp3"; nocase; classtype:misc-activity; sid:561; rev:5;) policy.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flags:A+; content:".mp3"; nocase; classtype:misc-activity; sid:562; rev:4;) policy.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flags:A+; content:".mp3"; nocase; classtype:misc-activity; sid:563; rev:5;) policy.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flags:A+; content:".mp3"; nocase; classtype:misc-activity; sid:564; rev:5;) policy.rules:alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flags:A+; content:"anon@napster.com"; classtype:misc-activity; sid:565; rev:5;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) GET request"; flags:A+; content:"GET "; depth:4; reference:url,www.musiccity.com/technology.htm; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1383; rev:3;) policy.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack (kazaa/morpheus) traffic"; flags:A+; content:"X-Kazaa-Username"; reference:url,www.kazaa.com; classtype:protocol-command-decode; sid:1699; rev:2;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flags:A+; classtype:kickass-porn; sid:1310; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flags:A+; classtype:kickass-porn; sid:1311; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flags:A+; classtype:kickass-porn; sid:1312; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flags:A+; classtype:kickass-porn; sid:1313; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flags:A+; classtype:kickass-porn; sid:1314; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flags:A+; classtype:kickass-porn; sid:1315; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flags:A+; classtype:kickass-porn; sid:1316; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flags:A+; classtype:kickass-porn; sid:1317; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flags:A+; classtype:kickass-porn; sid:1318; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flags:A+; classtype:kickass-porn; sid:1319; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flags:A+; classtype:kickass-porn; sid:1320; rev:5;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flags:A+; classtype:kickass-porn; sid:1781; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flags:A+; classtype:kickass-porn; sid:1782; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flags:A+; classtype:kickass-porn; sid:1783; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flags:A+; classtype:kickass-porn; sid:1784; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flags:A+; classtype:kickass-porn; sid:1785; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flags:A+; classtype:kickass-porn; sid:1786; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flags:A+; classtype:kickass-porn; sid:1793; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flags:A+; classtype:kickass-porn; sid:1794; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flags:A+; classtype:kickass-porn; sid:1795; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin"; nocase; flags:A+; classtype:kickass-porn; sid:1796; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flags:A+; classtype:kickass-porn; sid:1797; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flags:A+; classtype:kickass-porn; sid:1798; rev:1;) porn.rules:alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flags:A+; classtype:kickass-porn; sid:1799; rev:1;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flags:A+; content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset: 16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flags:A+; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flags:A+; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv solaris"; flags:A+; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flags:A+; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771: (msg:"RPC NFS Showmount"; flags:A+; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; offset: 16; depth: 32; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:3;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP cachefsd request"; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP cachefsd request"; flags:A+; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:3;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP rwalld request"; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1732; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP rwalld request"; flags:A+; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1733; rev:3;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; flags:A+; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19;classtype:rpc-portmap-decode; sid:576; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19; classtype:rpc-portmap-decode; flags:A+; sid:1263; rev:5;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; flags:A+; sid:1264; rev:5;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; flags:A+; sid:1265; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flags:A+; sid:1266; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; flags:A+; sid:1267; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; flags:A+; sid:1268; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; flags:A+; sid:1269; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; flags:A+; sid:1270; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8; reference:arachnids,133; reference:cve,CVE-1999-0626; classtype:rpc-portmap-decode; flags:A+; sid:1271; rev:5;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|"; offset:40; depth:8; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flags:A+; sid:1272; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; flags:A+; sid:1273; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request status"; content:"|01 86 B8 00 00|";offset:40;depth:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:2;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|"; offset:40;depth:8; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:arachnids,24; classtype:rpc-portmap-decode; flags:A+; sid:1274; rev:6;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; flags:A+; sid:1275; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; flags:A+; sid:1276; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:2;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; flags:A+; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:5;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flags:A+; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; flags:A+; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:7;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC tcp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; flags:A+; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593; rev:8;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC udp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request espd"; rpc:391029,*,*; flags:A+; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595; rev:6;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:3;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flags:A+; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:6;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flags:A+; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:4;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flags:A+; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:4;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flags:A+; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:5;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flags:A+; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:5;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:2;) rpc.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flags:A+; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:3;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:1;) rpc.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rusers query"; content:"|0000000000000002000186A2|"; offset:5; reference:cve,CVE-1999-0626; reference:arachnids,136; classtype:attempted-recon; sid:612; rev:1;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flags:A+; content:"|3a3a 3a3a 3a3a 3a3a 003a 3a3a 3a3a 3a3a 3a|"; classtype:bad-unknown; sid:601; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flags:A+; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flags:A+; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flags:A+; content:"-froot|00|"; reference:arachnids,386; classtype:attempted-admin; sid:604; rev:4;) rservices.rules:alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flags:A+; content: "|01|rlogind|3a| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:5;) rservices.rules:alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flags:A+; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:5;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flags:A+; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flags:A+; content: "bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flags:A+; content: "echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flags:A+; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:4;) rservices.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flags:A+; content: "root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:4;) scan.rules:alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flags:A+; content: "VERSION|0A|"; depth: 16;reference:arachnids,303; classtype:attempted-recon; sid:616; rev:3;) scan.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flags:A+; content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:2;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S; classtype:attempted-recon; sid:618; rev:2;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:3;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S; classtype:attempted-recon; sid:620; rev:2;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags: F; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:2;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";flags:SRAFPU; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS";flags:FPU; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP";flags:A;ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt";flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; content:"AAAAAAAAAAAAAAAA"; depth:16; flags:PA12; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:2;) scan.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; content: "AAAAAAAAAAAAAAAA"; depth:16; flags: SFU12; ack: 0; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:2;) scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;) scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content: "|8007 0000 0700 0004 0000 0000 00|";reference:arachnids,408; classtype:bad-unknown; sid:635; rev:1;) scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;) scan.rules:alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content: "|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:2;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE sparc setuid 0"; content: "|82102017 91d02008|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE SGI NOOP"; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE SGI NOOP"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE aix NOOP"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype:shellcode-detect; sid:640; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE digital unix NOOP"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE hpux NOOP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE hpux NOOP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE sparc NOOP"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE sparc NOOP"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 stealth NOOP"; content: "|eb 02 eb 02 eb 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 unicode NOOP"; content: "|90009000900090009000|"; classtype:shellcode-detect; sid:653; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:5;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 inc ebx NOOP"; content:"|43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43|"; classtype:shellcode-detect; sid:1390; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 NOOP"; content:"|61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61 61|"; classtype:shellcode-detect; sid:1394; rev:3;) shellcode.rules:alert ip $EXTERNAL_NET any -> $HOME_NET $SHELLCODE_PORTS (msg:"SHELLCODE x86 EB OC NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:4;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flags:A+; content:"rcpt to|3a|"; nocase; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:5;) smtp.rules:alert tcp $EXTERNAL_NET 113 -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flags:A+; content:"|0a|D/"; reference:arachnids,140; reference:cve,CVE-1999-0204; classtype:attempted-admin; sid:655; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flags:A+; content:"|eb53 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,895; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:656; rev:4;) smtp.rules:# alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP chameleon overflow"; content: "HELP "; nocase; flags:A+; dsize: >500; depth: 5; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:5;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP exchange mime DOS"; flags:A+; content:"|63 68 61 72 73 65 74 20 3D 20 22 22|"; classtype:attempted-dos; sid:658; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn decode"; flags:A+; content:"expn decode"; nocase; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn root"; flags:A+; content:"expn root"; nocase; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:4;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn *@"; flags:A+; content:"expn *@"; nocase; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:2;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP majordomo ifs"; flags:A+; content:"eply-to|3a| a~.`/bin/"; reference:cve,CVE-1999-0208; reference:arachnids,143; classtype:attempted-admin; sid:661; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.5 exploit"; flags:A+; content:"mail from|3a20227c|"; nocase; reference:arachnids,119; classtype:attempted-admin; sid:662; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.8 overflow"; flags:A+; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"; reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.4 exploit"; flags:A+; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; classtype:attempted-admin; sid:664; rev:4;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.5 exploit"; flags:A+; content:"MAIL FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.4.1 exploit"; flags:A+; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.10 exploit"; flags:A+; content:"Croot|0d0a|Mprog, P=/bin/"; reference:arachnids,123; classtype:attempted-user; sid:667; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.10 exploit"; flags:A+; content:"Croot|09090909090909|Mprog,P=/bin"; reference:arachnids,124; classtype:attempted-user; sid:668; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flags:A+; content:"|0a|Croot|0a|Mprog";reference:arachnids,142; reference:cve,CVE-1999-0204; classtype:attempted-user; sid:669; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flags:A+; content:"|0a|C|3a|daemon|0a|R"; reference:cve,CVE-1999-0204; reference:arachnids,139; classtype:attempted-user; sid:670; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9c exploit"; flags:A+; content:"|0a|Croot|0d0a|Mprog"; reference:arachnids,141; reference:cve,CVE-1999-0204; classtype:attempted-user; sid:671; rev:3;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP vrfy decode"; flags:A+; content:"vrfy decode"; nocase; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:2;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP vrfy root"; flags:A+; content:"vrfy root"; nocase; classtype:attempted-recon; sid:1446; rev:2;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP ehlo cybercop attempt"; flags:A+; content:"ehlo cybercop|0a|quit|0a|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:4;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn cybercop attempt"; flags:A+; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:4;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP HELO overflow attempt"; flags:A+; dsize:>500; content:"HELO "; offset:0; depth:5; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:1549; rev:5;) smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP ETRN overflow attempt"; flags:A+; dsize:>500; content:"ETRN "; offset:0; depth:5; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:3;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; flags:A+; offset: 32; depth: 32; classtype:attempted-user; sid:676; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flags:A+; classtype:attempted-user; sid:677; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_delete_alert log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; flags:A+; classtype:attempted-user; sid:678; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flags:A+; offset:32; depth:32; classtype:attempted-user; sid:679; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2031; reference:cve,CAN-2000-1082; classtype:attempted-user; sid:708; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror possible buffer overflow"; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; flags:A+; offset: 32; reference:bugtraq,3733; classtype:attempted-user; sid:1386; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2030; reference:cve,CAN-2000-1081; classtype:attempted-user; sid:702; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; flags:A+; offset:32; classtype:attempted-user; reference:bugtraq,2043; sid:703; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; offset:32; classtype:attempted-user; sid:681; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg* registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flags:A+; offset:32; depth:32; classtype:attempted-user; sid:689; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2041; reference:cve,CAN-2000-1086; classtype:attempted-user; sid:690; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; content: "|3920d0009201c200520055003920ec00|"; flags:A+; classtype:shellcode-detect; sid:692; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode attempt"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flags:A+; classtype:attempted-user; sid:694; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; flags:A+; offset: 32; reference:bugtraq,1204; classtype:attempted-user; sid:695; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2038; classtype:attempted-user; sid:696; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2040; reference:cve,CAN-2000-1085; classtype:attempted-user; sid:697; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2042; reference:cve,CAN-2000-1087; classtype:attempted-user; sid:698; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; flags:A+; offset:32; reference:bugtraq,2039; reference:cve,CAN-2000-1084; classtype:attempted-user; sid:700; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; flags:A+; classtype:attempted-user; sid:673; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; flags:A+; reference:bugtraq,2030; reference:cve,CAN-2000-1081; classtype:attempted-user; sid:674; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; flags:A+; reference:bugtraq,2043; classtype:attempted-user; sid:675; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; flags:A+; classtype:attempted-user; sid:682; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flags:A+; classtype:attempted-user; sid:683; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; flags:A+; classtype:attempted-user; sid:684; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flags:A+; classtype:attempted-user; sid:685; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flags:A+; classtype:attempted-user; sid:686; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:687; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; content: "|3920d0009201c200520055003920ec00|"; flags:A+; classtype:shellcode-detect; sid:691; rev:3;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode attempt"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flags:A+; classtype:shellcode-detect; sid:693; rev:3;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; flags:A+; reference:bugtraq,2041; reference:cve,CAN-2000-1086; classtype:attempted-user; sid:699; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; flags:A+; reference:bugtraq,2039; reference:cve,CAN-2000-1084; classtype:attempted-user; sid:701; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; flags:A+; reference:bugtraq,1204; classtype:attempted-user; sid:704; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; flags:A+; reference:bugtraq,2038; reference:cve,CAN-2000-1083; classtype:attempted-user; sid:705; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; flags:A+; reference:bugtraq,2040; reference:cve,CAN-2000-1085; classtype:attempted-user; sid:706; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; flags:A+; reference:bugtraq,2024; reference:cve,CAN-2000-1087; classtype:attempted-user; sid:707; rev:5;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror possible buffer overflow"; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; flags:A+; reference:bugtraq,3733; classtype:attempted-user; sid:1387; rev:4;) sql.rules:alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"MS-SQL xp_cmdshell program execution (445)"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+; classtype:attempted-user; sid:1759; rev:2;) sql.rules:alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login failed"; content: "Login failed for user |27|sa|27|"; flags:A+; classtype:unsuccessful-user; sid:688; rev:4;) sql.rules:alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login failed"; content: "Login failed for user |27|sa|27|"; flags:A+; offset:83; classtype:attempted-user; sid:680; rev:4;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET solaris memory mismanagement exploit attempt"; flags:A+; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90 25 E0|"; classtype:shellcode-detect; sid:1430; rev:4;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format bug"; flags:A+; content: "_RLD"; content: "bin/sh"; reference:arachnids,304; classtype:attempted-admin; sid:711; rev:4;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET ld_library_path"; flags:A+; content:"ld_library_path"; reference:cve,CVE-1999-0073; reference:arachnids,367; classtype:attempted-admin; sid:712; rev:4;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET livingston DOS"; flags:A+; content:"|fff3 fff3 fff3 fff3 fff3|"; reference:arachnids,370; classtype:attempted-dos; sid:713; rev:4;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET resolv_host_conf"; flags:A+; content:"resolv_host_conf"; reference:arachnids,369; classtype:attempted-admin; sid:714; rev:3;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flags:A+; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:5;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flags:A+; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:5;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; flags:A+; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:5;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; content:"login\: root"; flags:A+; classtype:suspicious-login; sid:719; rev:4;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flags:A+; content: "|0D0A|[Yes]|0D0A FFFE 08FF FD26|"; classtype: attempted-admin; sid:1252; rev:7; reference:bugtraq,3064; reference:cve,CAN-2001-0554;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET bsd exploit client finishing"; flags:A+; dsize: >200; content: "|FF F6 FF F6 FF FB 08 FF F6|"; offset: 200; depth: 50; classtype: successful-admin; sid:1253; reference: bugtraq,3064; reference:cve,CAN-2001-0554; rev:6;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET 4Dgifts SGI account attempt"; flags:A+; content:"4Dgifts"; reference:cve,CAN-1999-0501; classtype:suspicious-login; sid:709; rev:5;) telnet.rules:alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET EZsetup account attempt"; flags:A+; content:"OutOfBox"; reference:cve,CAN-1999-0501; classtype:suspicious-login; sid:710; rev:5;) telnet.rules:alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flags:A+; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:4;) tftp.rules:alert udp any any -> any 69 (msg:"TFTP GET Admin.dll"; content: "|0001|"; offset:0; depth:2; content:"admin.dll"; nocase; classtype:successful-admin; reference:url,www.cert.org/advisories/CA-2001-26.html; sid:1289; rev:2;) tftp.rules:alert udp any any -> any 69 (msg:"TFTP GET nc.exe"; content: "|0001|"; offset:0; depth:2; content:"nc.exe"; nocase; classtype:successful-admin; sid:1441; rev:1;) tftp.rules:alert udp any any -> any 69 (msg:"TFTP GET shadow"; content: "|0001|"; offset:0; depth:2; content:"shadow"; nocase; classtype:successful-admin; sid:1442; rev:1;) tftp.rules:alert udp any any -> any 69 (msg:"TFTP GET passwd"; content: "|0001|"; offset:0; depth:2; content:"passwd"; nocase; classtype:successful-admin; sid:1443; rev:1;) tftp.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP parent directory"; content:".."; reference:arachnids,137; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:519; rev:1;) tftp.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP root directory"; content:"|0001|/"; offset:0; depth:3; reference:arachnids,138; reference:cve,CVE-1999-0183; classtype:bad-unknown; sid:520; rev:2;) tftp.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Put"; content:"|00 02|"; offset:0; depth:2; reference:cve,CVE-1999-0183; reference:arachnids,148; classtype:bad-unknown; sid:518; rev:3;) tftp.rules:alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP Get"; content:"|00 01|"; offset:0; depth:2; classtype:bad-unknown; sid:1444; rev:2;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; content:"Suddlently"; sid:720; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible pif Worm"; content: ".pif"; nocase; sid:721; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase; sid:722; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myromeo.exe"; nocase; sid:723; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "myjuliet.chm"; nocase; sid:724; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "ble bla"; nocase; sid:725; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "I Love You"; sid:726; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Sorry... Hey you !"; sid:727; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "my picture from shake-beer"; sid:728; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible shs Worm"; content: ".shs"; nocase; sid:730; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:731; classtype:misc-activity; rev:3;) virus.rules:alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732; classtype:misc-activity; rev:3;) virus.rules:alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; content:"nongmin_cn"; reference:MCAFEE,98775; sid:733; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; content: "Software provide by [MATRiX]"; nocase; sid:734; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; content: "Matrix has you..."; sid:735; classtype:misc-activity; rev:3;) virus.rules:alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; content: "funguscrack@hotmail.com"; nocase; sid:736; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase; sid:737; classtype:misc-activity; rev:3;) virus.rules:alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon"; reference:MCAFEE,98696; sid:738; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase; reference:MCAFEE,10389; sid:739; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|"; reference:MCAFEE,10109; sid:741; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|"; reference:MCAFEE,10109; sid:742; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|"; reference:MCAFEE,10109; sid:743; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|"; reference:MCAFEE,10109; sid:744; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; content: "filename=\"XPASS.XLS\""; nocase; reference:MCAFEE,10145; sid:745; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|"; reference:MCAFEE,10225; sid:746; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase; sid:747; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|"; reference:MCAFEE,10388; sid:748; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|"; reference:MCAFEE,10471; sid:749; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; content: "filename=\"KAK.HTA\""; nocase; reference:MCAFEE,10509; sid:751; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; content: "filename=\"Suppl.doc\""; nocase; reference:MCAFEE,10361; sid:752; classtype:misc-activity; rev:4;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase; reference:MCAFEE,10540; sid:753; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase; reference:MCAFEE,10502; sid:754; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; content: "filename=\"irok.exe\""; nocase; reference:MCAFEE,98552; sid:755; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; content: "filename=\"Fix2001.exe\""; nocase; reference:MCAFEE,10355; sid:756; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase; reference:MCAFEE,10505; sid:757; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase; reference:MCAFEE,10478; sid:758; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase; reference:MCAFEE,10502; sid:759; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase; reference:MCAFEE,10467; sid:760; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase; reference:MCAFEE,10540; sid:761; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase; reference:MCAFEE,10540; sid:762; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase; reference:MCAFEE,10540; sid:763; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase; reference:MCAFEE,10540; sid:764; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase; reference:MCAFEE,10540; sid:765; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase; reference:MCAFEE,10540; sid:766; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase; reference:MCAFEE,10540; sid:767; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase; reference:MCAFEE,10540; sid:768; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase; reference:MCAFEE,10540; sid:769; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase; reference:MCAFEE,10540; sid:770; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; content: "filename=\"Toadie.exe\""; nocase; reference:MCAFEE,10540; sid:771; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750; reference:MCAFEE,10175; sid:772; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; content:"X-Spanska\:Yes"; reference:MCAFEE,10144; sid:773; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|"; sid:774; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; content:"BubbleBoy is back!"; reference:MCAFEE,10418; sid:775; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase; reference:MCAFEE,10540; sid:776; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|"; reference:MCAFEE,10467; sid:777; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|"; reference:MCAFEE,10461; sid:778; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase; reference:MCAFEE,10540; sid:779; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase; reference:MCAFEE,10540; sid:780; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase; reference:MCAFEE,10540; sid:781; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase; reference:MCAFEE,10540; sid:782; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase; reference:MCAFEE,10540; sid:783; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase; reference:MCAFEE,10540; sid:784; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase; reference:MCAFEE,10540; sid:785; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase; reference:MCAFEE,10540; sid:786; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase; reference:MCAFEE,10540; sid:787; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase; reference:MCAFEE,10540; sid:788; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase; reference:MCAFEE,1054; sid:789; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|"; sid:790; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase; reference:MCAFEE,10540; sid:791; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase; reference:MCAFEE,98661; sid:792; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase; sid:793; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"Explorer.doc\""; nocase; reference:MCAFEE,98661; sid:794; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801; classtype:misc-activity; rev:3;) virus.rules:alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802; classtype:misc-activity; rev:3;) virus.rules:alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"VIRUS Klez Incoming"; flags:A+; dsize:>120; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:1;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ps command attempt"; flags:A+; uricontent:"/bin/ps"; nocase; sid:1328; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ps command attempt"; flags:A+; uricontent:"ps%20"; nocase; sid:1329; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS wget command attempt"; flags:A+; content:"wget%20";nocase; sid:1330; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS uname -a command attempt"; flags:A+; content:"uname%20-a";nocase; sid:1331; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/id command attempt"; flags:A+; content:"/usr/bin/id";nocase; sid:1332; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS id command attempt"; flags:A+; content:"\;id";nocase; sid:1333; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS echo command attempt"; flags:A+; content:"/bin/echo";nocase; sid:1334; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS kill command attempt"; flags:A+; content:"/bin/kill";nocase; sid:1335; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chmod command attempt"; flags:A+; content:"/bin/chmod";nocase; sid:1336; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chgrp command attempt"; flags:A+; content:"/usr/bin/chgrp";nocase; sid:1337; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chown command attempt"; flags:A+; content:"/usr/sbin/chown";nocase; sid:1338; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS chsh command attempt"; flags:A+; content:"/usr/bin/chsh";nocase; sid:1339; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tftp command attempt"; flags:A+; content:"tftp%20";nocase; sid:1340; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/gcc command attempt"; flags:A+; content:"/usr/bin/gcc";nocase; sid:1341; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS gcc command attempt"; flags:A+; content:"gcc%20-o";nocase; sid:1342; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cc command attempt"; flags:A+; content:"/usr/bin/cc";nocase; sid:1343; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cc command attempt"; flags:A+; content:"cc%20";nocase; sid:1344; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/cpp command attempt"; flags:A+; content:"/usr/bin/cpp";nocase; sid:1345; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS cpp command attempt"; flags:A+; content:"cpp%20";nocase; sid:1346; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/g++ command attempt"; flags:A+; content:"/usr/bin/g++";nocase; sid:1347; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS g++ command attempt"; flags:A+; content:"g++%20";nocase; sid:1348; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/python access attempt"; flags:A+; content:"bin/python";nocase; sid:1349; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS python access attempt"; flags:A+; content:"python%20";nocase; sid:1350; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/tclsh execution attempt"; flags:A+; content:"bin/tclsh";nocase; sid:1351; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS tclsh execution attempt"; flags:A+; content:"tclsh8%20";nocase; sid:1352; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS bin/nasm command attempt"; flags:A+; content:"bin/nasm";nocase; sid:1353; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nasm command attempt"; flags:A+; content:"nasm%20";nocase; sid:1354; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /usr/bin/perl execution attempt"; flags:A+; content:"/usr/bin/perl";nocase; sid:1355; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS perl execution attempt"; flags:A+; content:"perl%20";nocase; sid:1356; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nt admin addition attempt"; flags:A+; content:"net localgroup administrators /add";nocase; sid:1357; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS traceroute command attempt"; flags:A+; content:"traceroute%20";nocase; sid:1358; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS ping command attempt"; flags:A+; content:"/bin/ping";nocase; sid:1359; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS netcat command attempt"; flags:A+; content:"nc%20";nocase; sid:1360; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS nmap command attempt"; flags:A+; content:"nmap%20";nocase; sid:1361; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS xterm command attempt"; flags:A+; content:"/usr/X11R6/bin/xterm";nocase; sid:1362; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS X application to remote host attempt"; flags:A+; content:"%20-display%20";nocase; sid:1363; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS lsof command attempt"; flags:A+; content:"lsof%20";nocase; sid:1364; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS rm command attempt"; flags:A+; content:"rm%20";nocase; sid:1365; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flags:A+; content:"/bin/mail";nocase; sid:1366; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS mail command attempt"; flags:A+; content:"mail%20";nocase; sid:1367; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls| command attempt"; flags:A+; uricontent:"/bin/ls\|"; nocase; sid:1368; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /bin/ls command attempt"; flags:A+; uricontent:"/bin/ls"; nocase; sid:1369; classtype:web-application-attack; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/inetd.conf access"; flags:A+; content:"/etc/inetd.conf";nocase; sid:1370; classtype:web-application-activity; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/motd access"; flags:A+; content:"/etc/motd";nocase; sid:1371; classtype:web-application-activity; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS /etc/shadow access"; flags:A+; content:"/etc/shadow";nocase; sid:1372; classtype:web-application-activity; rev:4;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS conf/httpd.conf attempt"; flags:A+; content:"conf/httpd.conf";nocase; classtype:web-application-activity; sid:1373; rev:5;) web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-ATTACKS .htgroup access"; flags:A+; uricontent:".htgroup"; nocase; sid:1374; classtype:web-application-activity; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; uricontent:"/hsx.cgi"; content:"../../"; content:"%00"; flags:A+; reference:bugtraq,2314; reference:cve,CAN-2001-0253; classtype:web-application-attack; sid:803; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI HyperSeek hsx.cgi access"; uricontent:"/hsx.cgi"; flags:A+; reference:bugtraq,2314; reference:cve,CAN-2001-0253; classtype:web-application-activity; sid:1607; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI SWSoft ASPSeek Overflow attempt"; uricontent:"/s.cgi"; nocase; content:"tmpl="; dsize:>500; flags:A+; reference:cve,CAN-2001-0476; reference:bugtraq,2492; classtype:web-application-attack; sid:804; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspeed access"; flags:A+; uricontent: "/wsisa.dll/WService="; nocase; content: "WSMadmin"; nocase;reference:arachnids,467; reference:cve,CVE-2000-0127; classtype:attempted-user; sid:805; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb.cgi directory traversal attempt"; flags:A+; uricontent:"/YaBB.pl"; nocase; content: "../"; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:806; rev:7;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI yabb.cgi access"; flags:A+; uricontent:"/YaBB.pl"; nocase; reference:cve,CVE-2000-0853; reference:arachnids,462; reference:bugtraq,1668; classtype:attempted-recon; sid:1637; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwboard passwd access"; flags:A+; uricontent: "/wwwboard/passwd.txt"; nocase; reference:arachnids,463; reference:cve,CVE-1999-0953; reference:bugtraq,649; classtype:attempted-recon; sid:807; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webdriver access"; flags:A+; uricontent: "/webdriver"; nocase; reference:arachnids,473; reference:bugtraq,2166; classtype:attempted-recon; sid:808; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw attempt"; flags:A+; uricontent: "/whois_raw.cgi?"; content: "|0a|"; reference:cve,CAN-1999-1063; reference:arachnids,466;classtype:web-application-attack; sid:809; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI whois_raw access"; flags:A+; uricontent: "/whois_raw.cgi"; reference:cve,CAN-1999-1063; reference:arachnids,466; classtype:attempted-recon; sid:810; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websitepro path access"; flags:A+; content: " /HTTP/1."; nocase; reference:cve,CAN-2000-0066; reference:arachnids,468;classtype:attempted-recon; sid:811; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus version access"; flags:A+; uricontent:"/webplus?about"; nocase; reference:cve,CVE-2000-0282; reference:arachnids,470; classtype:attempted-recon; sid:812; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webplus directory traversal"; flags:A+; uricontent:"/webplus?script"; nocase; content:"../"; reference:cve,CVE-2000-0282; reference:arachnids,471; classtype:web-application-attack; sid:813; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI websendmail access"; flags:A+; uricontent: "/websendmail"; nocase; reference:cve,CVE-1999-0196; reference:arachnids,469; reference:bugtraq,2077; classtype:attempted-recon; sid:815; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi directory traversal attempt"; flags:A+; uricontent:"/dcforum.cgi"; content:"forum=../.."; reference:cve,CAN-2001-0436; classtype:web-application-attack; sid:1571; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcforum.cgi access"; uricontent:"/dcforum.cgi"; flags:A+; reference:bugtraq,2728; classtype:attempted-recon; sid:818; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi invalid user addition attempt"; flags:A+; uricontent:"/dcboard.cgi"; content:"command=register"; content:"%7cadmin"; reference:bugtraq,2728; classtype:web-application-attack; sid:817; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dcboard.cgi access"; uricontent:"/dcboard.cgi"; flags:A+; reference:bugtraq,2728; classtype:attempted-recon; sid:1410; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI mmstdod.cgi access"; uricontent:"/mmstdod.cgi"; nocase; flags:A+; reference:cve,CVE-2001-0021; classtype:attempted-recon; sid:819; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anaconda directory transversal attempt"; flags:A+; uricontent:"/apexec.pl"; content:"template=../"; nocase; reference:cve,CVE-2000-0975; reference:bugtraq,2388; classtype:web-application-attack; sid:820; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe overflow attempt"; dsize: >1000; flags:A+; uricontent: "/imagemap.exe?"; depth: 32; nocase; reference:arachnids,412; reference:cve,CVE-1999-0951; classtype:web-application-attack; sid:821; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI imagemap.exe access"; flags:A+; uricontent:"/imagemap.exe"; nocase; reference:cve,CVE-1999-0951; reference:arachnids,412; classtype:web-application-activity; sid:1700; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsweb.cgi access"; flags:A+; uricontent:"/cvsweb.cgi"; nocase; reference:cve,CVE-2000-0670; reference:bugtraq,1469;classtype:attempted-recon; sid:823; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI php.cgi access";flags:A+; uricontent:"/php.cgi"; nocase; reference:cve,CAN-1999-0238; reference:bugtraq,2250; reference:arachnids,232; classtype:attempted-recon; sid:824; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI glimpse access"; flags:A+; uricontent:"/glimpse"; nocase; reference:bugtraq,2026; classtype:attempted-recon; sid:825; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript attempt";flags:A+; uricontent:"/htmlscript?../.."; nocase; reference:bugtraq,2001; reference:cve,CVE-1999-0264; classtype:web-application-attack; sid:1608; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI htmlscript access";flags:A+; uricontent:"/htmlscript"; nocase; reference:bugtraq,2001; reference:cve,CVE-1999-0264; classtype:attempted-recon; sid:826; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI info2www access";flags:A+; uricontent:"/info2www"; nocase; reference:bugtraq,1995; reference:cve,CVE-1999-0266; classtype:attempted-recon; sid:827; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI maillist.pl access";flags:A+; uricontent:"/maillist.pl"; nocase;classtype:attempted-recon; sid:828; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI nph-test-cgi access";flags:A+; uricontent:"/nph-test-cgi"; nocase; reference:arachnids,224; reference:cve,CVE-1999-0045; reference:bugtraq,686; classtype:attempted-recon; sid:829; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access"; flags:A+; uricontent:"/nph-maillist.pl"; nocase; reference:cve,CAN-2001-0400; classtype:attempted-recon; sid:1451; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI NPH-publish access";flags:A+; uricontent:"/nph-publish"; nocase; reference:cve,CAN-1999-1177; classtype:attempted-recon; sid:830; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rguest.exe access";flags:A+; uricontent:"/rguest.exe"; nocase; reference:cve,CAN-1999-0467; reference:bugtraq,2024; classtype:attempted-recon; sid:833; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI rwwwshell.pl access";flags:A+; uricontent:"/rwwwshell.pl"; nocase; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi attempt"; flags:A+; uricontent:"/test-cgi/*?*"; nocase; reference:cve,CVE-1999-0070; reference:arachnids,218; classtype:web-application-attack; sid:1644; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test-cgi access"; flags:A+; uricontent:"/test-cgi"; nocase; reference:cve,CVE-1999-0070; reference:arachnids,218;classtype:attempted-recon; sid:835; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI testcgi access"; flags:A+; uricontent:"/testcgi"; nocase; classtype:web-application-activity; sid:1645; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI test.cgi access"; flags:A+; uricontent:"/test.cgi"; nocase; classtype:web-application-activity; sid:1646; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI textcounter.pl access";flags:A+; uricontent:"/textcounter.pl"; nocase; reference:cve,CAN-1999-1479; classtype:attempted-recon; sid:836; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI uploader.exe access";flags:A+; uricontent:"/uploader.exe"; nocase;reference:cve,CVE-1999-0177;classtype:attempted-recon; sid:837; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webgais access";flags:A+; uricontent:"/webgais"; nocase; reference:arachnids,472; reference:bugtraq,2058; reference:cve,CVE-1999-0176;classtype:attempted-recon; sid:838; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI finger access"; flags:A+; uricontent:"/finger"; nocase; reference:arachnids,221; reference:cve,CVE-1999-0612;classtype:attempted-recon; sid:839; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI perlshop.cgi access";flags:A+; uricontent:"/perlshop.cgi"; nocase; reference:cve,CAN-1999-1374; classtype:attempted-recon; sid:840; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pfdisplay.cgi access";flags:A+; uricontent:"/pfdisplay.cgi"; nocase; reference:bugtraq,64; reference:cve,CVE-1999-0270;classtype:attempted-recon; sid:841; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI aglimpse access";flags:A+; uricontent:"/aglimpse"; nocase; reference:cve,CVE-1999-0147; reference:bugtraq,2026; classtype:attempted-recon; sid:842; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI anform2 access";flags:A+; uricontent:"/AnForm2"; nocase; reference:cve,CVE-1999-0066; reference:arachnids,225;classtype:attempted-recon; sid:843; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.bat access";flags:A+; uricontent:"/args.bat"; nocase; reference:cve,CAN-1999-1374; classtype:attempted-recon; sid:844; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI args.cmd access";flags:A+; uricontent:"/args.cmd"; nocase; reference:cve,CAN-1999-1374; classtype:attempted-recon; sid:1452; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-admin.cgi access";flags:A+; uricontent:"/AT-admin.cgi"; nocase; reference:cve,CAN-1999-1072; classtype:attempted-recon; sid:845; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AT-generated.cgi access";flags:A+; uricontent:"/AT-generated.cgi"; nocase; reference:cve,CAN-1999-1072; classtype:attempted-recon; sid:1453; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bnbform.cgi access";flags:A+; uricontent:"/bnbform.cgi"; nocase; reference:cve,CVE-1999-0937; reference:bugtraq,1469; classtype:attempted-recon; sid:846; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI campas access";flags:A+; uricontent:"/campas"; nocase; reference:cve,CVE-1999-0146; reference:bugtraq,1975; classtype:attempted-recon; sid:847; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source directory traversal";flags:A+; uricontent:"/view-source"; nocase; content:"../"; nocase; reference:cve,CVE-1999-0174;classtype:web-application-attack; sid:848; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI view-source access";flags:A+; uricontent:"/view-source"; nocase; reference:cve,CVE-1999-0174;classtype:attempted-recon; sid:849; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wais.pl access";flags:A+; uricontent:"/wais.pl"; nocase; classtype:attempted-recon; sid:850; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwwais access";flags:A+; uricontent:"/wwwwais"; nocase; reference:cve,CAN-2001-0223; classtype:attempted-recon; sid:1454; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI files.pl access";flags:A+; uricontent:"/files.pl"; nocase; reference:cve,CAN-1999-1081; classtype:attempted-recon; sid:851; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wguest.exe access";flags:A+; uricontent:"/wguest.exe"; nocase; reference:cve,CAN-1999-0467; reference:bugtraq,2024; classtype:attempted-recon; sid:852; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wrap access"; flags:A+; uricontent: "/wrap"; reference:bugtraq,373; reference:arachnids,234; reference:cve,CVE-1999-0149;classtype:attempted-recon; sid:853; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI classifieds.cgi access";flags:A+; uricontent:"/classifieds.cgi"; nocase; reference:bugtraq,2020; reference:cve,CVE-1999-0934;classtype:attempted-recon; sid:854; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI environ.cgi access";flags:A+; uricontent:"/environ.cgi"; nocase;classtype:attempted-recon; sid:856; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt (full path)"; flags:A+; uricontent:"/faxsurvey?/"; nocase; reference:cve,CVE-1999-0262; reference:bugtraq,2056; classtype:web-application-attack; sid:1647; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt"; flags:A+; uricontent:"/faxsurvey?cat%20"; nocase; reference:cve,CVE-1999-0262; reference:bugtraq,2056; classtype:web-application-attack; sid:1609; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey access"; flags:A+; uricontent:"/faxsurvey"; nocase; reference:cve,CVE-1999-0262; reference:bugtraq,2056; classtype:web-application-activity; sid:857; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI filemail access"; flags:A+; uricontent:"/filemail.pl"; nocase; reference:cve,CAN-1999-1154; classtype:attempted-recon; sid:858; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI man.sh access"; flags:A+; uricontent:"/man.sh"; nocase; reference:cve,CAN-1999-1179; classtype:attempted-recon; sid:859; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snork.bat access";flags:A+; uricontent:"/snork.bat"; nocase; reference:bugtraq,1053; reference:cve,CVE-2000-0169; reference:arachnids,220;classtype:attempted-recon; sid:860; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql access";flags:A+; uricontent:"/w3-msql/"; nocase; reference:bugtraq,591; reference:cve,CVE-1999-0276; reference:arachnids,210;classtype:attempted-recon; sid:861; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datacopier.cgi access";flags:A+; uricontent:"/day5datacopier.cgi"; nocase; reference:cve,CAN-1999-1232; classtype:attempted-recon; sid:863; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI day5datanotifier.cgi access"; flags:A+; uricontent:"/day5datanotifier.cgi"; nocase; reference:cve,CAN-1999-1232; classtype:attempted-recon; sid:864; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI post-query access"; flags:A+; uricontent:"/post-query"; nocase; reference:cve,CAN-2001-0291; classtype:attempted-recon; sid:866; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI visadmin.exe access";flags:A+; uricontent:"/visadmin.exe"; nocase; reference:bugtraq,1808; reference:cve,CAN-1999-1970;classtype:attempted-recon; sid:867; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI dumpenv.pl access";flags:A+; uricontent:"/dumpenv.pl"; nocase; reference:cve,CAN-1999-1178; classtype:attempted-recon; sid:869; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl arbitrary command execution attempt"; flags:A+; uricontent:"/calendar_admin.pl?config=\|"; classtype:web-application-attack; reference:cve,CVE-2000-0432; sid:1536; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar_admin.pl access"; flags:A+; uricontent:"/calendar_admin.pl"; classtype:web-application-activity; reference:cve,CVE-2000-0432; sid:1537; rev:4;) web-cgi.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender_admin.pl access"; flags:A+; uricontent:"/calender_admin.pl"; nocase; reference:cve,CVE-2000-0432; classtype:attempted-recon; sid:1456; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar-admin.pl access"; flags:A+; uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; classtype:web-application-activity; sid:1701; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calender.pl access"; flags:A+; uricontent:"/calender.pl"; nocase; reference:cve,CVE-2000-0432; classtype:attempted-recon; sid:1455; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI calendar access";flags:A+; uricontent:"/calendar"; nocase; classtype:attempted-recon; sid:882; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_admin.pl access"; flags:A+; uricontent:"/user_update_admin.pl"; nocase; reference:cve,CVE-2000-0627; classtype:attempted-recon; sid:1457; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI user_update_passwd.pl access"; flags:A+; uricontent:"/user_update_passwd.pl"; nocase; reference:cve,CVE-2000-0627; classtype:attempted-recon; sid:1458; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI snorkerz.cmd access";flags:A+; uricontent:"/snorkerz.cmd"; nocase;classtype:attempted-recon; sid:870; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI survey.cgi access";flags:A+; uricontent:"/survey.cgi"; nocase; reference:bugtraq,1817; reference:cve,CVE-1999-0936; classtype:attempted-recon; sid:871; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI scriptalias access"; flags:A+; uricontent: "///"; reference:cve,CVE-1999-0236; reference:bugtraq,2300; reference:arachnids,227; classtype:attempted-recon; sid:873; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flags:A+; uricontent: "/bin/shA-cA/usr/openwin"; nocase; reference:cve,CVE-1999-0276; reference:arachnids,211;classtype:attempted-recon; sid:874; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI win-c-sample.exe access"; flags:A+; uricontent: "/win-c-sample.exe"; nocase; reference:bugtraq,2078; reference:arachnids,231; reference:cve,CVE-1999-0178;classtype:attempted-recon; sid:875; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3tvars.pm access";flags:A+; uricontent:"/w3tvars.pm"; nocase; classtype:attempted-recon; sid:878; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI admin.pl access";flags:A+; uricontent:"/admin.pl"; nocase; reference:url,online.securityfocus.com/archive/1/249355; reference:bugtraq,3839; classtype:attempted-recon; sid:879; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI LWGate access";flags:A+; uricontent:"/LWGate"; nocase; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI archie access";flags:A+; uricontent:"/archie"; nocase; classtype:attempted-recon; sid:881; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI flexform access";flags:A+; uricontent:"/flexform"; nocase; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail attempt"; flags:A+; uricontent:"/formmail"; nocase; content:"%0a"; nocase; reference:bugtraq,1187; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:web-application-attack; sid:1610; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI formmail access";flags:A+; uricontent:"/formmail"; nocase; reference:bugtraq,1187; reference:cve,CVE-1999-0172; reference:arachnids,226; classtype:web-application-activity; sid:884; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf arbitrary command execution attempt";flags:A+; uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a/"; reference:bugtraq,629; reference:arachnids,128; reference:cve,CVE-1999-0067; classtype:web-application-attack; sid:1762; rev:1;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf access";flags:A+; uricontent:"/phf"; nocase; reference:bugtraq,629; reference:arachnids,128; reference:cve,CVE-1999-0067; classtype:web-application-activity; sid:886; rev:8;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI www-sql access";flags:A+; uricontent:"/www-sql"; nocase; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wwwadmin.pl access";flags:A+; uricontent:"/wwwadmin.pl"; nocase; classtype:attempted-recon; sid:888; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ppdscgi.exe access";flags:A+; uricontent:"/ppdscgi.exe"; nocase; reference:bugtraq,491; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendform.cgi access";flags:A+; uricontent:"/sendform.cgi"; nocase; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI upload.pl access";flags:A+; uricontent:"/upload.pl"; nocase; classtype:attempted-recon; sid:891; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AnyForm2 access";flags:A+; uricontent:"/AnyForm2"; nocase; reference:bugtraq,719; reference:cve,CVE-1999-0066; classtype:attempted-recon; sid:892; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI MachineInfo access";flags:A+; uricontent:"/MachineInfo"; nocase; reference:cve,CAN-1999-1067; classtype:attempted-recon; sid:893; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh attempt";flags:A+; uricontent:"/bb-hist.sh?HISTFILE=../.."; nocase; reference:cve,CAN-1999-1462; reference:bugtraq,142; classtype:web-application-attack; sid:1531; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hist.sh access";flags:A+; uricontent:"/bb-hist.sh"; nocase; reference:cve,CAN-1999-1462; reference:bugtraq,142; classtype:attempted-recon; sid:894; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histlog.sh access";flags:A+; uricontent:"/bb-histlog.sh"; nocase; reference:bugtraq,142; reference:cve,CAN-1999-1462; classtype:attempted-recon; sid:1459; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-histsvc.sh access";flags:A+; uricontent:"/bb-histsvc.sh"; nocase; reference:bugtraq,142; reference:cve,CAN-1999-1462; classtype:attempted-recon; sid:1460; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh attempt"; flags:A+; uricontent:"/bb-hostsvc.sh?HOSTSVC?../.."; nocase; reference:cve,CVE-2000-0638; classtype:web-application-attack; sid:1532; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-hostscv.sh access"; flags:A+; uricontent:"/bb-hostsvc.sh"; nocase; reference:cve,CVE-2000-0638; classtype:web-application-activity; sid:1533; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-rep.sh access";flags:A+; uricontent:"/bb-rep.sh"; nocase; reference:bugtraq,142; reference:cve,CAN-1999-1462; classtype:attempted-recon; sid:1461; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI bb-replog.sh access";flags:A+; uricontent:"/bb-replog.sh"; nocase; reference:bugtraq,142; reference:cve,CAN-1999-1462; classtype:attempted-recon; sid:1462; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI redirect access";flags:A+; uricontent:"/redirect"; nocase;reference:bugtraq,1179; reference:cve,CVE-2000-0382; classtype:attempted-recon; sid:895; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard attempt"; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; flags:A+; reference:bugtraq,2370; reference:cve,CAN-2001-0214; classtype:web-application-attack; sid:1397; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI wayboard access"; uricontent:"/way-board"; nocase; flags:A+; reference:bugtraq,2370; reference:cve,CAN-2001-0214; classtype:web-application-activity; sid:896; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi arbitrary file read attempt"; flags:A+; uricontent:"/pals-cgi"; nocase; content:"documentName="; classtype:web-application-attack; reference:cve,CAN-2001-0217; reference:bugtraq,2372; sid:1222; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI pals-cgi access"; uricontent:"/pals-cgi"; nocase; flags:A+; reference:cve,CAN-2001-0216; reference:cve,CAN-2001-0217; reference:bugtraq,2372; classtype:attempted-recon; sid:897; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi attempt"; uricontent:"/commerce.cgi?page=../.."; nocase; flags:A+; reference:bugtraq,2361; reference:cve,CAN-2001-0210; classtype:attempted-recon; sid:1572; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI commerce.cgi access"; uricontent:"/commerce.cgi"; nocase; flags:A+; reference:bugtraq,2361; reference:cve,CAN-2001-0210; classtype:attempted-recon; sid:898; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl directory traversal attempt"; uricontent:"/sendtemp.pl"; nocase; content:"templ="; nocase; flags:A+; reference:bugtraq,2504; reference:cve,CAN-2001-0272; classtype:web-application-attack; sid:899; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI Amaya templates sendtemp.pl access"; uricontent:"/sendtemp.pl"; nocase; flags:A+; reference:bugtraq,2504; reference:cve,CAN-2001-0272; classtype:web-application-activity; sid:1702; rev:3;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs directory traversal attempt"; uricontent:"/webspirs.cgi"; nocase; content:"../../"; nocase; flags:A+; reference:cve,CAN-2001-0211; reference:bugtraq,2362; classtype:web-application-attack; sid:900; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webspirs access"; uricontent:"/webspirs.cgi"; nocase; flags:A+; reference:cve,CAN-2001-0211; reference:bugtraq,2362; classtype:attempted-recon; sid:901; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI tstisapi.dll access"; uricontent:"tstisapi.dll"; nocase; flags:A+; reference:cve,CAN-2001-0302; classtype:attempted-recon; sid:902; rev:5;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI sendmessage.cgi access"; uricontent:"/sendmessage.cgi"; nocase; flags:A+; classtype:attempted-recon; sid:1308; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI lastlines.cgi access"; uricontent:"/lastlines.cgi"; nocase; flags:A+; reference:bugtraq,3755; reference:bugtraq,3754; classtype:attempted-recon; sid:1392; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi attempt"; flags:A+; uricontent:"/zml.cgi"; content:"file=../"; reference:cve,CAN-2001-1209; reference:bugtraq,3759; classtype:web-application-activity; sid:1395; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI zml.cgi access"; flags:A+; uricontent:"/zml.cgi"; reference:cve,CAN-2001-1209; reference:bugtraq,3759; classtype:web-application-activity; sid:1396; rev:6;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI AHG search.cgi access"; uricontent:"/publisher/search.cgi"; nocase; content:"template="; nocase; flags:A+; reference:bugtraq,3985; classtype:web-application-activity; sid:1405; rev:4;) web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI agora.cgi attempt"; flags:A+; uricontent:"/store/agora.cgi?cart_id=