This repository has been archived by the owner on Dec 20, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathcommunity_1000.rules
1000 lines (1000 loc) · 306 KB
/
community_1000.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|",depth 16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 ( msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 ( msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10; )
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|",depth 6; content:"|05 00|",depth 2,offset 8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Infector.1.x"; flow:established,to_client; content:"WHATISIT",depth 9; metadata:impact_flag red,ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17; )
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| ",depth 11,nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands",distance 0,nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12; )
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use",depth 32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11; )
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 ( msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14; )
alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER",nocase; content:"w0rm",distance 1,nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:144; rev:16; )
alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13; )
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher",depth 11,nocase; content:"Server",distance 0,nocase; content:"On-Line...",distance 0,nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:11; )
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9; )
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10; )
alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10; )
alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 ( msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10; )
alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca",depth 15,nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10; )
alert udp $HOME_NET 2140 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14; )
alert tcp $HOME_NET 555 -> $EXTERNAL_NET any ( msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server",depth 17,nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:12; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor",nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; classtype:attempted-admin; sid:213; rev:8; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; classtype:attempted-admin; sid:214; rev:8; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh[",nocase; metadata:ruleset community; classtype:attempted-admin; sid:215; rev:8; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; classtype:attempted-admin; sid:216; rev:11; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] ( msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13; )
alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12; )
alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44",fast_pattern,nocase; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11; )
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 ( msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:233; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:234; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 ( msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:235; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 27444 ( msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:237; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 18753 ( msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 20433 ( msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 6838 ( msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 ( msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 ( msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8; )
alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8; )
alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any ( msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:bad-unknown; sid:253; rev:14; )
alert udp $EXTERNAL_NET 53 -> $HOME_NET any ( msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|",depth 4,offset 2,fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|",within 4,distance 4; content:"|C0 0C 00 01 00 01|",distance 0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community; service:dns; classtype:bad-unknown; sid:254; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|",depth 8,offset 6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|",fast_pattern; isdataat:!1,relative; metadata:ruleset community; service:dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:ruleset community; service:dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version",offset 12,nocase; content:"|04|bind|00|",offset 12,nocase; metadata:ruleset community; service:dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community; service:dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:262; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:264; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-LINUX OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:265; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-OTHER OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:266; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|",fast_pattern,nocase; metadata:ruleset community; service:dns; classtype:attempted-admin; sid:267; rev:13; )
alert udp any 19 <> any 7 ( msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|",fast_pattern,nocase; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 9 ( msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME",depth 50,offset 25; metadata:ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:12; )
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any ( msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:287; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; classtype:attempted-admin; sid:288; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 ( msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; service:pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 ( msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 ( msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 ( msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 ( msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//",nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 ( msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1",nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 ( msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12; )
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any ( msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community; service:ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 518 ( msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 53 ( msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|",fast_pattern,nocase; metadata:ruleset community; service:dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:22; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:10; )
alert udp $EXTERNAL_NET any -> $HOME_NET 635 ( msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f",nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| ",depth 10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 ( msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:334; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:335; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD",nocase; content:"~root",distance 1,nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community; service:ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL",nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community; service:ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:353; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:354; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:355; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR",nocase; content:"passwd"; metadata:ruleset community; service:ftp; classtype:suspicious-filename-detect; sid:356; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:358; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan",fast_pattern,nocase; metadata:ruleset community; service:ftp; classtype:suspicious-login; sid:359; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20.",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE",nocase; content:"EXEC",distance 0,nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community; service:ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program ",fast_pattern,nocase; metadata:ruleset community; service:ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del",depth 32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So",depth 32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop",depth 32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================",depth 32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad",depth 32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04| ",depth 32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop",depth 16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop,ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9; )
alert icmp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI",depth 32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?",depth 100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim",depth 32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw",depth 32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|",depth 32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc.",depth 32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS",fast_pattern,nocase; pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop,ruleset community; service:ftp; classtype:unknown; sid:489; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community; service:smtp; classtype:policy-violation; sid:490; rev:12; )
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 ",fast_pattern,nocase; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community; service:ftp; classtype:bad-unknown; sid:491; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed",nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:492; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed",fast_pattern,nocase; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,osvdb.org/show/osvdb/436; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:19; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename",nocase; metadata:ruleset community; service:http; classtype:bad-unknown; sid:495; rev:14; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20; )
alert ip any any -> any any ( msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 ( msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>",depth 16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 ( msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 70 ( msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|",fast_pattern,nocase; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc",depth 36,nocase; metadata:ruleset community; service:http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12; )
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any ( msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login",depth 16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 ( msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET ",depth 8,nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 161 ( msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|",fast_pattern,nocase; metadata:ruleset community; service:snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12; )
alert udp $EXTERNAL_NET any -> $HOME_NET 177 ( msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|",depth 2; metadata:ruleset community; reference:cve,1999-0183; reference:url,dev.metasploit.com/redmine/projects/framework/repository/revisions/b73f28f29511d154aed9e94dd262195db60c7e3b/entry/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:"..",offset 2; metadata:ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 69 ( msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/",depth 3; metadata:ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] ( msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:uuid 4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:"15"; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|",within 4,distance 8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 ( msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9; )
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 ( msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG ",depth 4; content:"Content-Type|3A|",nocase; content:"text/plain",distance 1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 ( msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK ",fast_pattern,nocase; metadata:ruleset community; classtype:policy-violation; sid:542; rev:20; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:543; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR",nocase; content:"1MB",distance 1,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:544; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:545; rev:9; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:546; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD ' possible warez site"; flow:to_server,established; content:"MKD ",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:547; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD .",depth 5,nocase; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:548; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER",fast_pattern,nocase; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:553; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 ( msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD",nocase; content:"/ ",distance 1; metadata:ruleset community; service:ftp; classtype:misc-activity; sid:554; rev:10; )
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any ( msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT",depth 40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10; )
alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK",depth 40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0",depth 5; content:".0",depth 2,offset 7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 5632 ( msg:"APP-DETECT PCAnywhere server response"; content:"ST",depth 2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10; )
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any ( msg:"SERVER-MAIL SMTP relaying denied"; flow:established,to_client; content:"550 5.7.1",depth 70; metadata:ruleset community; service:smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 ( msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|",depth 4,offset 16; content:"|00 00 01 01|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 ( msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|",depth 4,offset 8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|",depth 32,offset 16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|",depth 4,offset 16; content:"|00 00 00 05|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:575; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:577; rev:22; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:578; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:579; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:582; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:583; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:585; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:17; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:587; rev:16; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:26; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:589; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|",depth 4,offset 12; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|",within 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; service:sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 03|",within 4,distance 4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u",within 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; service:sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 ( msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:policy max-detect-ips drop,ruleset community; service:sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 ( msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|",depth 4,offset 16; content:"|00 00 00 04|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; reference:url,osvdb.org/show/osvdb/1007; classtype:attempted-admin; sid:604; rev:12; )
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect",fast_pattern,nocase; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 ( msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 ( msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|",fast_pattern,nocase; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop,ruleset community; classtype:attempted-admin; sid:610; rev:15; )
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any ( msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied.",fast_pattern,nocase; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|",depth 4,offset 12; content:"|00 00 00 02|",within 4,distance 4; content:"|00 00 00 00|",depth 4,offset 4; metadata:ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11; )
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any ( msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; classtype:attempted-recon; sid:613; rev:10; )
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 ( msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A",depth 1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 ( msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|",depth 16; metadata:ruleset community; classtype:attempted-recon; sid:616; rev:8; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; classtype:attempted-recon; sid:619; rev:10; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; classtype:attempted-recon; sid:622; rev:11; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; classtype:attempted-recon; sid:626; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; classtype:attempted-recon; sid:627; rev:12; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; classtype:attempted-recon; sid:630; rev:10; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:631; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop",fast_pattern,nocase; metadata:ruleset community; service:smtp; classtype:protocol-command-decode; sid:632; rev:15; )
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 ( msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-recon; sid:634; rev:8; )
alert udp $EXTERNAL_NET any -> $HOME_NET 49 ( msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:635; rev:9; )
alert udp $EXTERNAL_NET any -> $HOME_NET 7 ( msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop",fast_pattern,nocase; metadata:ruleset community; classtype:bad-unknown; sid:636; rev:7; )
alert udp $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|",fast_pattern,nocase; metadata:ruleset community; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:system-call-detect; sid:647; rev:15; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; classtype:shellcode-detect; sid:648; rev:18; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|",fast_pattern,nocase; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|",fast_pattern,nocase; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14; )
alert ip $EXTERNAL_NET any -> $HOME_NET any ( msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh",fast_pattern,nocase; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|",nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop,ruleset community; service:smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:28; )
alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP",nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:ruleset community; service:smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|",nocase; metadata:ruleset community; service:smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn",nocase; content:"decode",fast_pattern,nocase; pcre:"/^expn\s+decode/smi"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn",nocase; content:"root",fast_pattern,nocase; pcre:"/^expn\s+root/smi"; metadata:ruleset community; service:smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|",fast_pattern,nocase; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset community; service:smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|",nocase; content:"decode",distance 0,nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog",fast_pattern,nocase; metadata:ruleset community; service:smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 ( msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy",nocase; content:"decode",distance 1,nocase; pcre:"/^vrfy\s+decode/smi"; metadata:ruleset community; service:smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",depth 32,offset 32,nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|",fast_pattern,nocase; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10; )
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any ( msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'",fast_pattern,nocase; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy security-ips drop,ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|",depth 32,offset 32,nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",offset 32,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14; )
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 ( msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|",fast_pattern,nocase; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community; service:telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD",fast_pattern,nocase; content:"bin/sh"; metadata:ruleset community; service:telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18; )
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 ( msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf",fast_pattern,nocase; metadata:ruleset community; service:telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:attempted-admin; sid:715; rev:14; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:717; rev:15; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community; service:telnet; classtype:bad-unknown; sid:718; rev:16; )
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any ( msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root",fast_pattern,nocase; metadata:ruleset community; service:telnet; classtype:suspicious-login; sid:719; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/hsx.cgi"; http_raw_uri; content:"../../"; content:"%00",distance 1; metadata:ruleset community; service:http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; http_uri; content:"/s.cgi",fast_pattern,nocase; content:"tmpl="; metadata:ruleset community; service:http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; http_uri; content:"/wsisa.dll/WService=",fast_pattern,nocase; content:"WSMadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; http_uri; content:"/YaBB",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; http_uri; content:"/wwwboard/passwd.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; http_uri; content:"/webdriver",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; http_uri; content:"/whois_raw.cgi?"; pkt_data; content:"|0A|"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; http_uri; content:"/whois_raw.cgi"; metadata:ruleset community; service:http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1.",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; http_uri; content:"/webplus?about",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; http_uri; content:"/websendmail",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; http_uri; content:"/dcboard.cgi"; pkt_data; content:"command=register"; content:"%7cadmin"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; http_uri; content:"/dcforum.cgi"; metadata:ruleset community; service:http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; http_uri; content:"/mmstdod.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; http_uri; content:"/apexec.pl"; pkt_data; content:"template=../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; http_uri; content:"/imagemap.exe?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; http_uri; content:"/cvsweb.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; http_uri; content:"/php.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; http_uri; content:"/glimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; http_uri; content:"/htmlscript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; http_uri; content:"/info2www",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; http_uri; content:"/maillist.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:828; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; http_uri; content:"/nph-test-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; http_uri; content:"/perl.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; http_uri; content:"/rguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; http_uri; content:"/rwwwshell.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; http_uri; content:"/test-cgi",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; http_uri; content:"/textcounter.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; http_uri; content:"/uploader.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; http_uri; content:"/webgais",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP finger access"; flow:to_server,established; http_uri; content:"/finger",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; http_uri; content:"/perlshop.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; http_uri; content:"/aglimpse",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; http_uri; content:"/AnForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; http_uri; content:"/args.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; http_uri; content:"/AT-admin.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; http_uri; content:"/bnbform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP campas access"; flow:to_server,established; http_uri; content:"/campas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; http_uri; content:"/view-source",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; http_uri; content:"/wais.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:850; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; http_uri; content:"/files.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; http_uri; content:"/wguest.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; http_uri; content:"/wrap"; metadata:ruleset community; service:http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; http_uri; content:"/classifieds.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; http_uri; content:"/environ.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:856; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; http_uri; content:"/faxsurvey",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; http_uri; content:"/filemail.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; http_uri; content:"/man.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; http_uri; content:"/snork.bat",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; http_uri; content:"/w3-msql/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP csh access"; flow:to_server,established; http_uri; content:"/csh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; http_uri; content:"/day5datacopier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; http_uri; content:"/day5datanotifier.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; http_uri; content:"/ksh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; http_uri; content:"/post-query",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; http_uri; content:"/visadmin.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; http_uri; content:"/rsh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; http_uri; content:"/dumpenv.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; http_uri; content:"/snorkerz.cmd",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:870; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; http_uri; content:"/survey.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; http_uri; content:"/tcsh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; http_uri; content:"/win-c-sample.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; http_uri; content:"/rksh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; http_uri; content:"/w3tvars.pm",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:878; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; http_uri; content:"/admin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; http_uri; content:"/LWGate",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP archie access"; flow:to_server,established; http_uri; content:"/archie",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:881; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; http_uri; content:"/calendar",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:882; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; http_uri; content:"/flexform",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bash access"; flow:to_server,established; http_uri; content:"/bash",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP phf access"; flow:to_server,established; http_uri; content:"/phf",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; http_uri; content:"/www-sql",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; http_uri; content:"/wwwadmin.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:888; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; http_uri; content:"/ppdscgi.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; http_uri; content:"/sendform.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; http_uri; content:"/upload.pl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:891; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; http_uri; content:"/AnyForm2",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; http_uri; content:"/bb-hist.sh",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; http_uri; content:"/redirect",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; http_uri; content:"/way-board",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; http_uri; content:"/pals-cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; http_uri; content:"/commerce.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; http_uri; content:"/sendtemp.pl",fast_pattern,nocase; content:"templ=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; http_raw_uri; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; http_uri; content:"/webspirs.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; http_uri; content:"tstisapi.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; http_uri; content:"/cfcache.map",nocase; metadata:ruleset community; service:http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/application.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/application.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/email/getfile.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; http_uri; content:"/cfide/administrator/index.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/fileexists.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/exprcalc.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/parks/detail.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; http_uri; content:"/cfappman/index.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/cvbeans/beaninfo.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/evaluate.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; http_uri; content:"/cfdocs/expeval/displayopenedfile.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; http_uri; content:"/cfdocs/examples/mainframeset.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; http_uri; content:"/cfdocs/exampleapp/",nocase; metadata:ruleset community; service:http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; http_uri; content:"/cfdocs/snippets/",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; http_uri; content:"/cfdocs/cfmlsyntaxcheck.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; http_uri; content:"/application.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; http_uri; content:"/onrequestend.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; http_uri; content:"/cfide/administrator/startstop.html",nocase; metadata:ruleset community; service:http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; http_uri; content:"/cfdocs/snippets/gettempdirectory.cfm",nocase; metadata:ruleset community; service:http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; http_uri; content:"/_vti_rpc",nocase; metadata:ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; http_uri; content:"/author.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:28; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; http_uri; content:"/admcgi/contents.htm",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:941; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; http_uri; content:"/_private/orders.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:942; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; http_uri; content:"/fpsrvadm.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:943; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; http_uri; content:"/fpremadm.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:944; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; http_uri; content:"/admisapi/fpadmin.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:945; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; http_uri; content:"/scripts/Fpadmcgi.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:946; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; http_uri; content:"/_private/orders.txt",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:947; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; http_uri; content:"/_private/form_results.txt",nocase; metadata:ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; http_uri; content:"/_private/registrations.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:949; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; http_uri; content:"/cfgwiz.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:950; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; http_uri; content:"/authors.pwd",nocase; metadata:ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/_vti_aut/author.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:952; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; http_uri; content:"/administrators.pwd",nocase; metadata:ruleset community; service:http; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; http_uri; content:"/_private/form_results.htm",nocase; metadata:ruleset community; service:http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/access.cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; http_uri; content:"/_private/register.txt",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:956; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; http_uri; content:"/_private/registrations.txt",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:957; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; http_uri; content:"/service.pwd",nocase; metadata:ruleset community; service:http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; http_uri; content:"/_vti_pvt/service.stp",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:960; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/services.cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; http_uri; content:"/_vti_bin/shtml.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/svcacl.cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; http_uri; content:"/users.pwd",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:964; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; http_uri; content:"/_vti_pvt/writeto.cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; http_uri; content:"..../"; metadata:ruleset community; service:http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; http_uri; content:"/dvwssr.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; http_uri; content:"/_private/register.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:968; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK ",depth 5; metadata:ruleset community; service:http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; http_uri; content:".printer",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; http_uri; content:"/*.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|..",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; http_uri; content:".asp|3A 3A 24|DATA",nocase; metadata:ruleset community; service:http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; http_uri; content:".bat?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS .cnf access"; flow:to_server,established; http_uri; content:".cnf",nocase; metadata:ruleset community; service:http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none",nocase; content:"&CiHiliteType=Full",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ASP contents view"; flow:to_server,established; http_uri; content:".htw?CiWebHitsFile",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; http_uri; content:"/scripts/CGImail.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/ctguestb.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS JET VBA access"; flow:to_server,established; http_uri; content:"/scripts/samples/details.idc",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS MSProxy access"; flow:to_server,established; http_uri; content:"/scripts/proxy/w3proxy.dll",nocase; metadata:ruleset community; service:http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; http_uri; content:".htr",fast_pattern,nocase; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smi"; metadata:ruleset community; service:http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; http_uri; content:"/sensepost.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; http_uri; content:"/_vti_inf.html",nocase; metadata:ruleset community; service:http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS achg.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/achg.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; http_uri; content:"/msadc/samples/adctest.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:992; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmin access"; flow:to_server,established; http_uri; content:"/iisadmin",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/default.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:994; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/ism.dll?http/dir",nocase; metadata:ruleset community; service:http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS anot.htr access"; flow:to_server,established; http_uri; content:"/iisadmpwd/anot",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; http_uri; content:".asp.",nocase; metadata:ruleset community; service:http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; http_uri; content:"|23|filename=*.asp",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:998; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir access"; flow:to_server,established; http_uri; content:"/scripts/iisadmin/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; http_uri; content:"/bdir.htr",nocase; metadata:ruleset community; service:http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; http_uri; content:"/carbo.dll"; pkt_data; content:"icatcommand=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; http_uri; content:"cmd.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1002; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1003; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; http_uri; content:"/iissamples/exair/howitworks/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; http_uri; content:"/iissamples/sdk/asp/docs/codebrws.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; http_uri; content:"/Form_JScript.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1008; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS directory listing"; flow:to_server,established; http_uri; content:"/ServerVariables_Jscript.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1011; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; http_uri; content:"/fpcount.exe",fast_pattern,nocase; pkt_data; content:"Digits=",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS fpcount access"; flow:to_server,established; http_uri; content:"/fpcount.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/getdrvs.exe",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1015; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS global.asa access"; flow:to_server,established; http_uri; content:"/global.asa",nocase; metadata:ruleset community; service:http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; http_uri; content:"/iisadmpwd/aexp",nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; http_uri; content:"CiWebHitsFile=",nocase; pkt_data; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; http_uri; content:"CiRestriction=none",fast_pattern,nocase; content:"ciHiliteType=Full",nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; http_uri; content:".idc|3A 3A 24|data",nocase; metadata:ruleset community; service:http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; http_uri; content:" .htr",nocase; pcre:"/\s{230,}\.htr/"; metadata:ruleset community; service:http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS jet vba access"; flow:to_server,established; http_uri; content:"/advworks/equipment/catalog_type.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; http_uri; content:"/msadcs.dll",nocase; metadata:ruleset community; service:http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; http_uri; content:"/scripts/tools/newdsn.exe",nocase; metadata:ruleset community; service:http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl access"; flow:to_server,established; http_uri; content:"/scripts/perl",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1025; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; http_uri; content:"|0A|.pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; http_uri; content:" .pl",nocase; metadata:ruleset community; service:http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS query.asp access"; flow:to_server,established; http_uri; content:"/issamples/query.asp",nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ ",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS search97.vts access"; flow:to_server,established; http_uri; content:"/search97.vts"; metadata:ruleset community; service:http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; http_uri; content:"/SiteServer/Publishing/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode access"; flow:to_server,established; http_uri; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; http_uri; content:"/showcode.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site server config access"; flow:to_server,established; http_uri; content:"/adsamples/config/site.csc",nocase; metadata:ruleset community; service:http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srch.htm access"; flow:to_server,established; http_uri; content:"/samples/isapi/srch.htm",nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1039; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS srchadm access"; flow:to_server,established; http_uri; content:"/srchadm",nocase; metadata:ruleset community; service:http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; http_uri; content:"/scripts/uploadn.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; http_uri; content:"/viewcode.asp",nocase; metadata:ruleset community; service:http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS webhits access"; flow:to_server,established; http_uri; content:".htw"; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17; )
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any ( msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1045; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; http_uri; content:"/site/iisamples",nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / ",depth 9; metadata:ruleset community; service:http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX ",depth 6; metadata:ruleset community; service:http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES",depth 13; metadata:ruleset community; service:http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/main.cgi",fast_pattern,nocase; pkt_data; content:"filename=",nocase; content:"../../"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; http_uri; content:"/technote/print.cgi",fast_pattern,nocase; pkt_data; content:"board=",nocase; http_raw_uri; content:"../../"; content:"%00"; metadata:ruleset community; service:http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; http_uri; content:"/ads.cgi",fast_pattern,nocase; pkt_data; content:"file=",nocase; http_raw_uri; content:"../../"; http_uri; content:"|7C|"; metadata:ruleset community; service:http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; http_uri; content:".jsp",nocase; pkt_data; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:ruleset community; service:http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; http_uri; content:"%252ejsp"; metadata:ruleset community; service:http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1057; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1058; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1059; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1060; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1062; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1064; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; http_uri; content:"rcmd.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1065; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1066; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1067; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1068; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1069; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH ",depth 8,nocase; metadata:ruleset community; service:http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1071; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; http_uri; content:".nsf/"; content:"../",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; http_uri; content:"/scripts/samples/search/webhits.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; http_uri; content:"/scripts/postinfo.asp",nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-IIS repost.asp access"; flow:to_server,established; http_uri; content:"/scripts/repost.asp",nocase; metadata:ruleset community; service:http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL queryhit.htm access"; flow:to_server,established; http_uri; content:"/samples/search/queryhit.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SQL counter.exe access"; flow:to_server,established; http_uri; content:"/counter.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind",nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/iR"; metadata:ruleset community; service:http; reference:bugtraq,1656; reference:cve,2000-0869; reference:cve,2003-0718; reference:nessus,10505; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-030; classtype:web-application-activity; sid:1079; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; http_uri; content:"/servlet/com.unify.servletexec.UploadServlet",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; http_uri; content:"/dsgw/bin/search?context=",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; http_uri; content:"/servlet/ServletExec",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; http_uri; content:"servlet/.......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community; service:http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; http_uri; content:"?STRENGUR",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; http_uri; content:"/web_store.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/shop.cgi"; pkt_data; content:"page=../"; metadata:ruleset community; service:http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; http_uri; content:"/authenticate.cgi?PASSWORD",fast_pattern,nocase; pkt_data; content:"config.ini"; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1090; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; http_uri; content:"??????????",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; http_uri; content:"/search.cgi?",nocase; content:"keys",distance 0,nocase; pkt_data; content:"catigory=../",nocase; metadata:ruleset community; service:http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; http_uri; content:"/cached_feed.cgi"; http_raw_uri; content:"../"; metadata:ruleset community; service:http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"script=test.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; http_uri; content:"/webplus.exe?",nocase; content:"about",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; http_uri; content:"/webplus.cgi?",nocase; content:"Script=/webplus/webping/webping.wml",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; http_uri; content:"_private/shopping_cart.mdb",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; http_uri; content:"/cybercop",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1099; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Java1.2.1|0D 0A|"; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1100; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; http_header; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; metadata:ruleset community; service:http; classtype:web-application-activity; sid:1101; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; http_uri; content:"/nessus_is_probing_you_",depth 32; metadata:ruleset community; service:http; classtype:web-application-attack; sid:1102; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; http_uri; content:"/admin-serv/config/admpw",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; http_uri; content:"/bb-hostsvc.sh?",nocase; content:"HOSTSVC",distance 0,nocase; metadata:ruleset community; service:http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; http_uri; content:"/pollit/Poll_It_SSI_v2.0.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; http_uri; content:"/ftp.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; http_uri; content:"/jsp/snp/"; content:".snp"; metadata:ruleset community; service:http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; http_uri; content:"/%00"; metadata:ruleset community; service:http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; http_uri; content:"/site/eg/source.asp",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; http_uri; content:"/contextAdmin/contextAdmin.html",nocase; metadata:ruleset community; service:http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; http_uri; content:".html/......",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; http_uri; content:"?DeleteDocument",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1116; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; http_uri; content:"?EditDocument",fast_pattern,nocase; metadata:ruleset community; service:http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1118; rev:12; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; http_uri; content:"/mlog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; http_uri; content:"/mylog.phtml",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; http_uri; content:"/etc/passwd",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1122; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; http_uri; content:"?PageServices",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; http_uri; content:"/config/check.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1124; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; http_uri; content:"/webcart/",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; http_uri; content:"_AuthChangeUrl?",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; http_uri; content:"/scripts/convert.bas",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; http_uri; content:"/scripts/cpshost.dll",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; http_uri; content:".htaccess",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1129; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".wwwacl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1130; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; http_uri; content:".www_acl",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1131; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 457 ( msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA",depth 16; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1133; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; http_uri; content:"/admin.php3",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd..",nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1136; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community; service:http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; http_uri; content:"/guestbook.pl",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP handler access"; flow:to_server,established; http_uri; content:"/handler",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1142; rev:11; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP root access"; flow:to_server,established; http_uri; content:"/~root",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1145; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/config/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1146; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; http_uri; content:"cat ",fast_pattern,nocase; metadata:policy max-detect-ips drop,ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; http_uri; content:"/orders/import.txt",fast_pattern,nocase; metadata:ruleset community; service:http; classtype:attempted-recon; sid:1148; rev:13; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; http_uri; content:"/count.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; http_uri; content:"/catalog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; http_uri; content:"/domcfg.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; http_uri; content:"/domlog.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; http_uri; content:"/log.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; http_uri; content:"/names.nsf",fast_pattern,nocase; metadata:ruleset community; service:http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; http_uri; content:"/orders/checks.txt",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15; )
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////",fast_pattern,nocase; http_raw_uri; content:"////////"; metadata:ruleset community; service:http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; http_uri; content:"/PSUser/PSCOErrPage.htm",fast_pattern,nocase; metadata:ruleset community; service:http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; http_uri; content:"/windmail.exe",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; http_uri; content:"/webplus?script",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; http_uri; content:"?wp-",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:21; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; http_uri; content:"/passwd.php3"; metadata:ruleset community; service:http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; http_uri; content:"/c32web.exe/ChangeAdminPassword",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; http_uri; content:"/webdist.cgi",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; http_uri; content:"/quikstore.cfg",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE",nocase; metadata:ruleset community; service:http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS ( msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; http_uri; content:"/ws_ftp.ini",fast_pattern,nocase; metadata:ruleset community; service:http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:16; )