#--------------------------------------------- # http://www.snort.org Snort 1.7.0 Ruleset # Current Database Updated -- 01/25/2001 #Contact: Jim Forster - jforster@rapidnet.com #--------------------------------------------- # CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK # (Single system = your ip/32) var HOME_NET yournet/subnet # you can define multiple networks in single variable (or use them directly in rules) # var HOME_NET [10.1.1.0/24,10.1.2.0/24,192.168.1.0/24] var EXTERNAL_NET outside network IPs #--------------------------------------------- preprocessor http_decode: 80 8080 preprocessor minfrag: 128 # preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log # ^^^^^^^^^^^ ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ # | | | | #Your IP address or Network here+ | | | # | | | #Ammount of ports being connected-----+ | | # in this | | #Interval (in seconds)------------------+ | # | #Log file (path/name)----------------------------------+ #preprocessor portscan-ignorehosts: Hosts to ignore in portscan detection #----------------------------------------------- # Ignore web traffic when visiting www.snort.org pass tcp 205.164.217.39 80 <> any any #----------------------------------------------- # ------------------------- # Backdoor Signatures # ------------------------- alert tcp $HOME_NET any -> any any (msg:"psyBNC detected inside"; content:"Welcome!psyBNC@lam3rz.de"; flags: PA;) alert tcp any 16959 -> any any (msg:"BACKDOOR-SIGNATURE - SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; content:"acidphreak"; nocase;) alert tcp any any -> any 7597 (msg:"BACKDOOR SIGNATURE - LURHQ-03 - QAZ Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 73 71|";) alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg: "IDS405 - DeepThroat-ACTIVE"; content: "--Ahhhhhhhhhh";) alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg: "IDS399 - BackOrifice1-info"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";) alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg: "IDS398 - BackOrifice1-dir"; content: "|ce63 d1d2 16e7 13cf 3ca5 a586|";) alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg: "IDS397 - BackOrifice1-scan"; content: "|ce63 d1d2 16e7 13cf 38a5 a586|";) alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg: "IDS400 - BackOrifice1-web"; flags: AP; content: "server|3a| BO|2f|";) alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg: "IDS402 - Netbus-active-12346"; flags: AP; content: "NetBus";) alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg: "IDS401 - Netbus-active-12345"; flags: AP; content: "NetBus";) alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg: "IDS404 - BACKDOOR SIGNATURE - Netbus Getinfo 12346"; flags: AP; content: "GetInfo|0d|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg: "IDS403 - BACKDOOR SIGNATURE - Netbus Getinfo 12345"; flags: AP; content: "GetInfo|0d|";) alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg: "IDS315 - BACKDOOR-ACTIVITY - Infector.1.x"; content: "WHATISIT";) alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg: "IDS316 - BACKDOOR-ACTIVITY - SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me.";) alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg: "IDS312 - BACKDOOR SIGNATURE - Doly 2.0"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: AP; depth: 32;) alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR SIGNATURE - Possible Infector 1.6 Server to Client Connection"; content:"|57 48 41 54 49 53 49 54|";) alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR SIGNATURE - Possible Infector 1.6 Client to Server Connection Request"; content:"|46 43 20|";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 E-Mail Info Client Request"; content:"12";) alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"IDS36 - BACKDOOR SIGNATURE - WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";) alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Wrong Password"; content:"Wrong Password";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info From Server"; content:"Comp Name";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Drive Info Client Request"; content:"130";) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Drive Info From Server"; content:"C - ";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Rehash Client Request"; content:"911";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Status Client Request"; content:"10";) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Status From Server"; content:"Host";) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 FTP Status Client Request"; content:"09";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server FTP Port Change Client Request"; content:"21";) alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Cached Passwords Client Request"; content:"16";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 RAS Passwords Client Request"; content:"17";) alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"IDS83 - BACKDOOR SIGNATURE - Matrix 2.0 Server ACK"; content:"logged in";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Password Remove Client Request"; content:"92";) alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"IDS76 - BACKDOOR SIGNATURE - NetSphere 1.31.337 Data"; flags:PA; content:"NetSphere";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Password Change Client Request"; content:"91";) alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE - DonaldDick 1.53 Traffic"; flags:PA; content:"pINg";) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"IDS01 - BACKDOOR SIGNATURE - ADMw0rm-ftp-retrieval";flags:PA; content:"USERw0rm|0D0A|";) alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"IDS98 - BACKDOOR SIGNATURE - GirlFriendaccess"; flags:PA; content:"Girl";) alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"IDS76 - BACKDOOR SIGNATURE - NetSphere access"; flags: PA; content:"NetSphere";) alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"IDS99 - BACKDOOR SIGNATURE - GateCrasheraccess"; flags:PA; content:"GateCrasher";) alert icmp $EXTERNAL_NET any -> $HOME_NET 16660 (msg:"IDS179 - BACKDOOR SIGNATURE - Stacheldraht Client";) alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE - Possible PhaseZero Server Active on Network";content:"phAse";flags:PA;) alert udp $HOME_NET 2140 -> any 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";) alert udp any 60000 -> $HOME_NET 3150 (msg:"IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|";) alert udp any 3150 -> $HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network"; content:"|00 23|";) alert tcp $HOME_NET !80 -> $EXTERNAL_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enabled Sent from Server!"; flags:PA; content:"FTP server enabled";) alert udp any 2140 -> $HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network";) alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"IDS83 - BACKDOOR SIGNATURE - Matrix 2.0 Client connect"; content:"activate";) alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE - HackAttack 1.20 Connect"; flags:PA; content:"host";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Send Text to Window Client Request"; content:"63";) alert tcp $HOME_NET !80 -> $EXTERNAL_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected!"; flags:PA; content:"connected. time/date";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";) alert tcp any !80 -> $EXTERNAL_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client"; flags:PA; content:"FTPenable!";) alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Connection"; flags:PA; content:"c|3A|\\";) alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Client FTP Open Request"; flags:PA; content:"FTPON";) alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Server FTP Open Reply"; flags:PA; content:"FTP Port open";) alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro File List"; flags:PA; content:"|2D 2D|";) alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;) alert udp any 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Dialog Box Client Request"; content:"70";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Monitor on/off Client Request"; content:"07";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide Window Client Request"; content:"26";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 CD ROM Close Client Request"; content:"03";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Send to URL Client Request"; content:"12";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 FTP Server Port Client Request"; content:"21";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Process List Client request"; content:"64";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Close Port Scan Client Request"; content:"121";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Registry Add Client Request"; content:"89";) alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS202 - BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: >1;) alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS203 - BACKDOOR SIGNATURE - Q TCP"; flags:A; dsize: >1;) alert udp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS201 - BACKDOOR SIGNATURE - Q UDP"; dsize: >1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS263 - Backdoor Signature - CDK"; content: "ypi0ca"; nocase; flags: AP; depth: 15;) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Resolution Change Client Request"; content:"125";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Change Wallpaper Client Request"; content:"20";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Visible Window List Client Request"; content:"37";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 All Window List Client Request"; content:"370";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Kill Window Client Request"; content:"38";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Disable Window Client Request"; content:"23";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Enable Window Client Request"; content:"24";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Change Window Title Client Request"; content:"60";) alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR SIGNATURE - PhaseZero Server Active on Network"; flags:PA; content:"phAse";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Window Client Request"; content:"25";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Create Directory Client Request"; content:"39";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Delete File Client Request"; content:"41";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Play Sound Client Request"; content:"36";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Run Program Normal Client Request"; content:"14";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Get NET File Client Request"; content:"100";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"117";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"118";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 HUP Modem Client Request"; content:"199";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 CD ROM Open Client Request"; content:"02";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";) alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Picture Client Request"; content:"22";) # ------------------------- # BETA Rules # ------------------------- alert tcp any 1863 <> any any (msg:"MSN IM Chat data Logged";flags:PA; content:"|746578742F706C61696E|"; depth:100;) alert udp any 53 -> any any (msg:"Standard query response PTR with Time to live: 1 min. and no authority or additional - DNSSPOOF"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|";) alert udp any 53 -> any any (msg:"Standard query response A with Time to live: 1 min. and no authority or additional - DNSSPOOF"; content:"|81800001000100000000|"; content:"|c00c000100010000003c0004|";) alert tcp any any -> $HOME_NET 515 (msg: "rdC-LPRng"; flags: AP; content: "/43 07 89 5B 08 8D 4B 08 89 43 0C B0 0B CD 80 31 C0 FE C0 CD 80 E8 94 FF FF FF 2F 62 69 6E 2F 73 68 0A/" ;) alert tcp any any -> any 25 (msg: "BETA - Possible Navidad Virus Outgoing!"; content:"Emanuel.exe"; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - SING Echo from LINUX/*BSD"; id:13170; itype: 8; dsize: 8;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "User-Agent\:ICQ"; flags:AP; msg: "BETA - ICQ 2000 Access";) alert tcp $HOME_NET any -> $EXTERNAL_NET any (content: "NICK "; flags: AP; msg:"BETA - Possible IRC Access";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - PING Speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; ) alert tcp any 80 -> any any (msg:"BETA - Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase;) alert tcp any any <> any any (flags:S; seq: 6060842; id: 413; msg: "BETA - NAPTHA DoS Attack, see http://razor.bindview.com//publish/advisories/asv_NAPTHA.html";) alert icmp any any <> any any (msg:"BETA - PING-Broadscan Smurf Scanner"; itype: 8; icmp_id: 0; icmp_seq: 0; dsize:4; ) alert tcp any any <> any any (flags:S; seq: 6060842; id: 413; msg: "BETA - Naptha DoS Attack";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - Securax-SA-09 Catsoft serv-U FTP directory transversal"; flags: PA; content: ".%20."; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - SING Echo from Sun Solaris"; itype: 8; dsize: 8;) alert tcp any any -> any 25 (msg: "BETA - Possible Prolin Virus Outgoing!"; content:"CREATIVE.EXE"; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - icmpenum v1.1.1"; id: 666; itype: 8;icmp_id: 666; icmp_seq: 0; dsize:0;) alert tcp any 110 -> any any (msg: "BETA - Possible Navidad Virus Incoming!"; content:"Emanuel.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at mmstdod.cgi - if installed, verify it is newer than 3.0.26"; content:"mmstdod.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at IIS .cnf Files"; content:".cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at IIS bdir.htr"; content:"bdir.htr"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at IIS viewcode.asp"; content:"viewcode.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Connection to Cold Fusion Admin"; content:"//cfide//administrator//index.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at II5 cross-site scripting"; content:"Form_JScript.asp"; nocase;) alert tcp any any -> any 25 (msg: "BETA - Possible Stages Virus Outgoing!"; content:"LIFE_STAGES.TXT.SHS"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - CWD / - possible warez site"; flags:PA; content:"CWD / "; nocase; depth: 6;) alert tcp any any -> $HOME_NET 80 (msg:"BETA - DCFORUM.CGI attempt - This CGI has a well known security flaw"; flags:PA; content:"dcforum.cgi";) alert tcp any 8888 -> any !80 (msg:"BETA - Napster Upload Request"; flags: PA; content: "/00 5f02/"; offset: 1; depth: 3; ) alert tcp any !80 -> any 8888 (msg:"BETA - Napster Download Request"; flags: PA; content: "/00 cb00/"; offset: 1; depth: 3; ) alert tcp any !80 -> any 8888 (msg:"BETA - Napster New User Login"; flags: PA; content: "/00 0600/"; offset: 1; depth: 3; ) alert tcp any !80 -> any 8888 (msg:"BETA - Napster Login"; flags: PA; content:"/00 0200/"; offset: 1; depth: 3; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - MKD . - possible warez site"; flags:PA; content:"MKD ."; nocase; depth: 5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - MKD - possible warez site"; flags:PA; content:"MKD "; nocase; depth: 5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - cd to / - possible warez site"; flags:PA; content:"MKD / "; nocase; depth: 6;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - SuperScan Echo from Windows"; content:"|0000000000000000|"; itype: 8; dsize:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - CWD - possible warez site"; flags:PA; content:"CWD "; nocase; depth: 5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - Attempt at II5 directory display"; content:"ServerVariables_Jscript.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - RETR 1MB - possible warez site"; flags:PA; content:"RETR 1MB"; nocase; depth: 8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - STOR 1MB - possible warez site"; flags:PA; content:"STOR 1MB"; nocase; depth: 8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BETA - BUGTRAQ ID 1980 - ASX Overflow"; content:"|5a 5a 5a 5a 5a 5a 5a 5a 5a|"; content:"|5a 5a 5a 5a 5a 5a 5a 5a 5a|"; content:""; nocase; flags:PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"BETA - (NIT)Redhat7.0-lprd-Overflow"; flags:PA; content:"|58 58 58 58 25 2E 31 37 32 75 25 33 30 30 24 6E|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg: "BETA - VIRUS - Possible Outgoing W32-hybris.gen@m worm"; content:"boundary=\"--VE"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg: "BETA - VIRUS - Possible incoming W32-hybris.gen@m worm"; content:"boundary=\"--VE"; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - IDS162 - PING Nmap2.36BETA or HPING2 Echo from LINUX/*BSD";itype:8;dsize:0;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"BETA - Nemesis v1.1 Echo"; content:"|0000000000000000000000000000000000000000|"; itype: 8; icmp_id: 0; icmp_seq: 0; dsize: 20;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BETA - CWD ' ' - possible warez site"; flags:PA; content:"CWD "; nocase; depth: 5;) # # ------------------------- # DDoS Alerts # ------------------------- alert tcp any any -> any 80 (msg:"EXPLOIT - Possible Netscape Servers Suite Multiple DoS Vulnerabilities"; flags:PA; content:"/dsgw/bin/search?context="; nocase;) alert icmp any any -> any any (msg: "IDS425 - Ttfn2k icmp possible communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA";) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS - Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";) alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"IDS195 - DDoS - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"IDS191 - DDoS - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS192 - DDoS - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS184 - DDoS - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS190 - DDoS - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;) alert tcp $EXTERNAL_NET any -> $HOME_NET 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: AP;) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS186 - DDoS - Trin00:DaemontoMaster(messagedetected)"; content:"l44";) alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS - Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS194 - DDoS - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;) alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS - Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS182 - DDoS - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;) alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"IDS255 - DDoS shaft handler to agent"; content: "alive tijgu";) alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"IDS256 - DDoS shaft agent to handler"; content: "alive";) alert tcp $HOME_NET :1024 -> $EXTERNAL_NET any (msg:"IDS253 - DDoS shaft synflood outgoing"; flags: S; seq: 674711609;) alert tcp $EXTERNAL_NET :1024 -> $HOME_NET any (msg:"IDS252 - DDoS shaft synflood incoming"; flags: S; seq: 674711609;) alert udp any any -> any 6838 (msg: "DDoS - mstream agent to handler"; content: "newserver"; ) alert udp any any -> any 10498 (msg: "CAN-2000-0138 - DDoS - mstream handler to agent"; content: "stream/"; ) alert udp any any -> any 10498 (msg: "CAN-2000-0138 - DDoS - mstream handler ping to agent" ; content: "ping";) alert udp any any -> any 10498 (msg: "DDoS - mstream agent pong to handler" ; content: "pong";) alert tcp any any -> any 12754 (msg: "CAN-2000-0138 - DDoS - mstream client to handler"; content: ">"; flags: AP;) alert tcp any 12754 -> any any (msg: "CAN-2000-0138 - DDoS - mstream handler to client"; content: ">"; flags: AP;) alert tcp any any -> any 15104 (msg: "CAN-2000-0138 - IDS111 - DDoS - mstream client to handler"; flags: S;) alert tcp any 15104 -> any any (msg: "CAN-2000-0138 - DDoS - mstream handler to client"; content: ">"; flags: AP;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS183 - DDoS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;) # ------------------------- # Exploits # ------------------------- alert tcp any any -> any 139 (msg: "IDS454 - DoS RFPoison"; flags: AP; content: "|5C 00 5C 00 2A 00 53 00 4D 00 42 00 53 00 45 00 52 00 56 00 45 00 52 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS446 - FTP - OpenBSD-teso"; flags: AP; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS440 - FTP - wuftp260 Linux venglin parbobek"; flags: AP; content: "|2e2e3131|venglin@";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS442 - RPC Statdx Exploit"; flags: AP; content: "/bin|c74604|/sh";) alert tcp any any -> any 80 (msg:"EXPLOIT - WEB-CGI-Anaconda-FD directory transversal vulnerability attempt"; flags:PA; content:"template=../"; nocase;) alert tcp any any -> any 80 (msg:"EXPLOIT - WEB Amazon 1-click cookie theft"; flags: PA; content:"ref%3Cscript%20language%3D%22Javascript"; nocase;) alert tcp any any -> any 80 (msg:"EXPLOIT - WEB - Allaire JRUN DoS attempt"; flags:PA; content:"servlet/......."; nocase;) alert tcp any any -> any 25 (msg:"EXPLOIT - Possible MS Exchange Server MIME DoS Vulnerability"; flags:PA; content:"|63 68 61 72 73 65 74 20 3D 20 22 22|";) alert tcp any any -> any 80 (msg:"EXPLOIT - Unify eWave ServletExec File Upload Vulnerability"; flags:PA; content:"/servlet"; content:"UploadServlet"; nocase;) alert tcp any any -> any 80 (msg:"EXPLOIT - Unify eWave ServletExec DoS"; flags:PA; content:"servlet/ServletExec";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS342/shellcode-LinuxCommonTCP"; flags: AP; content: "|90 90 90 e8 c0 ff ff ff|/bin/sh";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS436/shellcode-x86-setuid0-udp"; content: "|b017 cd80|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS437- Shellcode x86 setgid0 udp"; content: "|b0b5 cd80|";) alert tcp any any -> any 111 (msg: "IDS428 - Portmap listing 111"; flags: AP; rpc: 100000,*,*;) alert tcp any any -> any 80 (msg:"MISC - ICQ Webfront HTTP DoS"; flags:PA; content:"??????????";) alert tcp any any -> any any (msg:"MISC - MISC - id check returned root"; content: "uid=0(root)";) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg: "IDS414 - Delegate Proxy Overflow PSH"; dsize: >1000; flags: AP; content: "whois|3a|//"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg: "IDS411 - Realaudio-DoS"; flags: AP; content: "|fff4 fffd 06|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS362 - MISC - Shellcode X86 NOPS-UDP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOW-NOOP-HP-TCP2";flags:PA; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOW-NOOP-Sparc-TCP";flags:PA; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP-Sparc-UDP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS291 - MISC - Shellcode x86 stealth NOP"; content: "|eb 02 eb 02 eb 02|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1431 - MISC - Possible attempt at Poll-it Version 2 Exploit"; flags:PA; content:"pollit/Poll_It_SSI_v2.0.cgi?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"MISC - Possible attempt at BigBrother 1.4 or older Exploit"; flags:PA; content:"bb-hostsvc.sh?HOSTSVC"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"BUGTRAQ ID 1288 - MISC - Possible attempt at Real Server template.html DoS"; flags:PA; content:"/viewsource/template.html?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"BUGTRAQ ID 1288 - MISC - Possible attempt at Real Server template.html DoS"; flags:PA; content:"/viewsource/template.html?"; nocase;) alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OVERFLOW-x86-linux-ntalkd"; content:"|0103 0000 0000 0001 0002 02e8|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic2";flags:PA; content:"|5858 5858 582F|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-adm";flags:PA; content:"|31 c0 31 db b0 17 cd 80 31 c0 b0 17 cd 80|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BUGTRAQ ID 113 - CVE-1999-0368 - OVERFLOW-FTP-x86linux-duke";flags:PA; content:"|31c0 31db b017 cd80 31c0 b017 cd80|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BUGTRAQ ID 113 - CVE-1999-0368 - OVERFLOW-FTP-x86linux-sekure";flags:PA; content:"MKD AAAAAA";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BUGTRAQ ID 113 - CVE-1999-0368 - OVERFLOW-FTP-x86linux-smiler";flags:PA; content:"|31db 89d8 b017 cd80 eb2c|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd2";flags:PA; content:"|5e0 e31c 0b03 b8d7 e0e8 9fa 89f9|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"BUGTRAQ ID 113 - CVE-1999-0368 - OVERFLOW-FTP-x86linux-wh0a";flags:PA; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"CVE-2000-0042 - OVERFLOW-x86-windows-CSMMail";flags:PA; content:"|eb53 eb20 5bfc 33c9 b182 8bf3 802b|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OVERFLOW-x86-solaris-nlps";flags:PA; content:"|eb23 5e33 c088 46fa 8946 f589 36|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic1";flags:PA; content:"|5057 440A 2F69|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-sparc";flags:PA; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86freebsd-rotsb";flags:PA; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv2";flags:PA; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv3";flags:PA; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-generic";flags:PA; content:"|cd80 e8d7 ffff ff|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-rotsb";flags:PA; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OVERFLOW-named";flags:PA; content:"|CD80 E8D7 FFFF FF|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"CVE-1999-0404 - OVERFLOW-x86-windows-MailMax";flags:PA; content:"|eb45 eb20 5bfc 33c9 b182 8bf3 802b|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"CVE-1999-0811 - CVE-1999-0182 - OVERFLOW-x86-linux-samba";flags:PA; content:"|eb2f 5feb 4a5e 89fb 893e 89f2|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-1999-0671 - OVERFLOW-NextFTP-client";flags:PA; content:"|b420 b421 8bcc 83e9 048b 1933 c966 b910|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CVE-1999-0672 - BUGTRAQ ID 573 - OVERFLOW-IRC-client-Chocoa";flags:PA; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux";flags:PA; content:"|ffff ff2f 4249 4e2f 5348 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux2";flags:PA; content:"|eb2c 5b89 d980 c106 39d9 7c07 800 1|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd";flags:PA; content:"|685d 5eff d5ff d4ff f58b f590 6631|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS357 - OVERFLOW-NOOP-SGI-UDP"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86linux";flags:PA; content:"|d840 cd80 e8d9 ffff ff|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86sco";flags:PA; content:"|560e 31c0 b03b 8d7e 1289 f989 f9|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"OVERFLOW-QPOP";flags:PA; content:"|E8 D9FF FFFF|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-2!";flags:PA; content:"|5858 5858 582F|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"OVERFLOW-86-linux-imap1";flags:PA; content:"|e8 c0ff ffff|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"OVERFLOW-IMAP";flags:PA; content:"|E8 C0FF FFFF|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BUGTRAQ ID 130 - CVE-1999-0005 - OVERFLOW-x86-linux-imapd2";flags:PA; content:"|89d8 40cd 80e8 c8ff ffff|/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BUGTRAQ ID 130 - CVE-1999-0005 - OVERFLOW-x86-linux-imapd3";flags:PA; content:"|eb58 5E31 db83 c308 83c3 0288 5e26|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BUGTRAQ ID 130 - CVE-1999-0005 - OVERFLOW-x86-linux-imapd4";flags:PA; content:"|eb34 5e8d 1E89 5e0b 31d2 8956 07|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BUGTRAQ ID 130 - CVE-1999-0005 - OVERFLOW-x86-linux-imapd5";flags:PA; content:"|eb35 5E80 4601 3080 4602 3080 4603 30|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"BUGTRAQ ID 130 - CVE-1999-0005 - OVERFLOW-x86-linux-imapd6";flags:PA; content:"|eb385e89f389d880460120804602|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-1!";flags:PA; content:"|5057 440A 2F69|";) alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"CVE-1999-0002 - OVERFLOW-x86-linux-mountd"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|";) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS"; dsize:0;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS350 - OVERFLOW-NOOP-HP-UDP2"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"CVE-1999-0833 - OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"../../../../../../../../../";) alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"IDS215 - OVERFLOW - Client - netscape47-retrieved"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"IDS214 - OVERFLOW - Client - netscape47-unsucessful"; content: "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"IDS261 - MISC DoS arkiea backup"; flags: AP; dsize: >1445;) alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"IDS262 - CVE-1999-0060 - Ascend Router DoS"; content: "|4e 41 4d 45 4e 41 4d 45|"; offset: 25; depth: 50;) alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"IDS267 - Delegate proxy overflow"; content: "whois|3a|//"; nocase; flags: AP; dsize: >1000;) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"CVE-1999-0833 - OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"ADMROCKS";) alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"BUGTRAQ ID 1610 - MISC - Attempt at VQServer Admin"; flags:PA; content:"GET / HTTP/1.1"; nocase;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS181 - OVERFLOW-NOOP-X86"; content:"|9090 9090 9090 9090 9090 9090 9090 9090|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS273 - Sniffit overflow"; flags:PA; content: "from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; dsize: >512;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS275 - Cisco Web Crash"; flags:PA; content: "|20 2F 25 25|"; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"IDS274 - NNTP Cassandra Overflow"; flags:PA; content: "AUTHINFO USER"; nocase; dsize: >512; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - RPC ttdbserv Solaris Overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flags: AP; dsize: >999;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS282 - MISC - Shellcode SPARC Setuid0"; content: "|82102017 91d02008|"; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS283 - MISC - Shellcode X86 Setuid0"; content: "|b017 cd80|"; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS284 - MISC - Shellcode X86 Setgid0"; content: "|b0b5 cd80|"; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS181 - MISC - Shellcode X86 NOPS"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Knox Arkeia DOS"; flags:PA;dsize:>1445;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS358 - OVERFLOW-NOOP-HP-TCP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|";) alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"CVE-1999-0002 - OVERFLOW-x86-linux-mountd3"; content:"|eb40 5E31 c040 8946 0489 c340 8906|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"OVERFLOW-sco-calserver";flags:PA; content:"|eb7f 5d55 fe4d 98fe 4d9b|";) alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP-x86bsd"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|";) alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"CVE-1999-0799 - CAN-1999-0798 - CAN-1999-0389 - OVERFLOW-BOOTP--x86linux"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS343 - OVERFLOW-LinuxCommonUDP"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX";flags:PA; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"CVE-1999-0833 - OVERFLOW-Named-ADM-NXT - 8.2->8.2.1";flags:PA; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS361 - OVERFLOW-NOOP-Digital-TCP"; flags: PA; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|";) alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"CVE-1999-0002 - OVERFLOW-x86-linux-mountd2"; content:"|5eb0 0289 06fe c889 4604 b006 8946|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS349 - OVERFLOW-NOOP-HP-UDP"; content:"|0821 0280 0821 0280 0821 0280 08210 0280|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IDS147 - CVE-1999-004 - IMAP-x86-linux-buffer-overflow";flags:PA; content:"|e8c0 ffff ff|/bin/sh";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS356 - OVERFLOW-NOOP-SGI-TCP";flags:PA; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI";flags:PA; content:"|240f 1234 240f 1234 240f 1234 240f 1234|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS344 - OVERFLOW-NOOP-Solaris-UDP"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS353 - OVERFLOW-NOOP-Solaris-TCP"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc-UDP"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP-Sparc-TCP2"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS352 - OVERFLOW-NOOP-Digital-UDP"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|";) # ------------------------- # High False Rules # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OVERFLOW - Possible attempt at MS Print Services";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"High False Rule - WEB-CGI-query";flags:PA; content:"cgi-bin/query"; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"High False Rule - IDS171 Ping All Zeros"; content: "|00000000000000000000000000000000|"; itype: 8; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS259 - Alibaba 2.0 Buffer Overflow";dsize:>1449; content:"POST";) alert tcp any 5050 <> $HOME_NET any (msg:"INFO - YAHOO Pager Data Logged"; flags: PA;) alert tcp any 5190 <> $HOME_NET any (msg:"AOL Chat Data Logged";) alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"INFO - YAHOO Pager Active on Network"; flags:A;) alert tcp $HOME_NET any -> $EXTERNAL_NET 5190 (msg:"AOL Chat Active on Network"; flags:A;) alert tcp $EXTERNAL_NET any <> $HOME_NET 110 (msg:"Mail Password";flags:PA; content:"PASS"; logto:"MAIL";) alert tcp $EXTERNAL_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA; content:"USER"; logto:"MAIL";) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"High False Rule - SNMP access, public"; content:"public";) alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"High False Rule - IDS177 NETBIOS-SMB-Name-Query"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) alert tcp $EXTERNAL_NET any <> $HOME_NET 21 (msg:"FTP-Password";flags:PA; content:"PASS"; logto:"FTP";) alert tcp $EXTERNAL_NET any <> $HOME_NET 21 (msg:"fP-Login";flags:PA; content:"USER"; logto:"FTP";) # ------------------------- # Finger # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"Finger backdoor probe";flags:PA; content:"cmd_rootsh";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"Finger account enumeration";flags:PA; content:"a b c d e f"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS375 - FINGER-Search";flags:PA; content:"search";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS376 - FINGER-root";flags:PA; content:"root";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS377 - FINGER-ProbeNull"; flags:PA; content:"|00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS378 - FINGER-Probe0";flags:PA; content:"0";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS379 - FINGER-PipeW";flags:PA; content:"/W|3b|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS380 - FINGER-Pipe"; flags:PA; content:"|7c|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS381 - FINGER-Bomb";flags:PA; content:"@@";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS11 - Finger cybercop redirection"; flags:PA; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; dsize: 11; depth: 11;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS251 - Finger redirection"; content: "@"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS131 - CVE-1999-0612 - FINGER-0@host";flags:PA; content:"|300A|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS130 - CVE-1999-0612 - FINGER-.@host";flags:PA; content:"|2E0A|";) # ------------------------- # FTP # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS458 - FTP wuftp260-tf8"; flags: PA; content: "|31C0 31DB 31C9 B046 CD80 31C0 31DB 43 89D941 B03F CD80|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS453 - FTP - -6350wu formatstring check"; flags: AP; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS451 - FTP - Solaris28 formatstring"; flags: AP; content: "|901BC00F 82102017 91D02008|";) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg: "IDS364 - FTP - Bad Login"; flags: AP; content: "530 Login ";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS324/FTP-pass-wh00t"; content: "pass wh00t"; nocase; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS322/FTP-nopassword"; content: "pass |0d|"; nocase; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS317/FTP-site-exec"; content: "site exec"; nocase; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS318/FTP-cwd~root"; content: "cwd ~root"; nocase; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS319/FTP-forward"; content: ".forward"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS287 - FTP - Wuftp260 venglin linux"; content: "|31c031db 31c9b046 cd80 31c031db|"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1471 - FTP - Possible Attempt at ftp.pl Exploit"; flags:PA; content:"ftp/ftp.pl?"; nocase;) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BUGTRAQ ID 1471 - FTP - Exploitable proftpd 1.2 server running"; content:"proftpd 1.2"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS328 - FTP-rhosts";flags:PA; content:".rhosts";) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP-NT-bad-login"; content:"Login failed.";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS288 - FTP wuftp260 Venglin BSD"; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; flags: PA; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS134 - CVE-1999-0202 - FTP tar parameters";flags:PA; content:"RETR--use-compress-program";) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"IDS137 - CVE-1999-0183 - TFTP parent directory"; content:"..";) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"IDS138 - CVE-1999-0183 - TFTP rootdirectory"; content:"|0001|/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password Retrieval"; content:"passwd"; flags: AP;) alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"IDS148 - CVE-1999-0183 - TFTP Write"; content:"|00 02|"; depth:2; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS257 - Aix FTP Buffer Overflow";flags:PA;dsize:>1300; content:"CEL ";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS285 - FTP wuftp260 Siteexec"; content: "SITE EXEC %p"; nocase; flags: PA; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS287 - FTP wuftp260 Venglin Linux"; content: "|31c031db 31c9b046 cd80 31c031db|"; flags: PA; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "IDS286 - FTP wuftp260 Siteexec"; content: "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"; flags: PA; depth: 32;) # ------------------------- # ICMP # ------------------------- alert icmp any any -> any any (msg:"ICMP Alternate Host Address (Undefined Code!)"; itype: 6;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Precedence Cutoff in effect)"; itype: 3; icode: 15;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Undefined Code!)"; itype: 3;) alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;) alert icmp any any -> any any (msg:"ICMP Source Quench (Undefined Code!)"; itype: 4;) alert icmp any any -> any any (msg:"ICMP Redirect (for Network or Subnet)"; itype: 5; icode: 0;) alert icmp any any -> any any (msg:"ICMP Redirect (for Host)"; itype: 5; icode: 1;) alert icmp any any -> any any (msg:"ICMP Redirect (for TOS and Network)"; itype: 5; icode: 2;) alert icmp any any -> any any (msg:"ICMP Time-To-Live Exceeded in Transit"; itype: 11; icode: 0;) alert icmp any any -> any any (msg:"ICMP Unknown Type";) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Unreachable for Type of Service)"; itype: 3; icode: 12;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 7)"; itype: 7; icode: 0;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 7) (Undefined Code!)"; itype: 7;) alert icmp any any -> any any (msg:"ICMP Echo Request"; itype: 8; icode: 0;) alert icmp any any -> any any (msg:"ICMP Echo Request (Undefined Code!)"; itype: 8;) alert icmp any any -> any any (msg:"ICMP Router Advertisment"; itype: 9; icode: 0;) alert icmp any any -> any any (msg:"ICMP Router Advertisment (Undefined Code!)"; itype:9 ;) alert icmp any any -> any any (msg:"ICMP Router Selection"; itype: 10; icode: 0;) alert icmp any any -> any any (msg:"ICMP Router Selection (Undefined Code!)"; itype: 10;) alert icmp any any -> any any (msg:"ICMP Redirect (Undefined Code!)"; itype: 5;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)"; itype: 3; icode:4;) alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype: 0; icode: 0;) alert icmp any any -> any any (msg:"ICMP Echo Reply (Undefined Code!)"; itype: 0;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 1)"; itype: 1; icode: 0;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Tupe 1) (Undefined Code)"; itype: 1;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 2)"; itype: 2; icode: 0;) alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 2) (Undefined Code); itype: 2;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Network Unreachable)"; itype: 3; icode: 0;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Unreachable)"; itype: 3; icode: 1;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Precedence Violation)"; itype: 3; icode: 14;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Port Unreachable)"; itype: 3; icode: 3;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication Administratively Prohibited)"; itype: 3; icode: 13;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Source Route Failed)"; itype: 3; icode: 5;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Destination Network Unknown)"; itype: 3; icode: 6;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Destination Host Unknown)"; itype: 3; icode: 7;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Source Host Isolated)"; itype: 3; icode: 8;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"; itype: 3; icode: 9;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"; itype: 3; icode: 10;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Network Unreachable for Type of Service)"; itype: 3; icode:11;) alert icmp any any -> any any (msg:"ICMP Alternate Host Address"; itype: 6; icode: 0;) alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Protocol Unreachable)"; itype: 3; icode: 2;) alert icmp any any -> any any (msg:"ICMP Redirect (for TOS and Host)"; itype: 5; icode: 3;) alert icmp any any -> any any (msg:"ICMP Datagram Conversion Error"; itype: 31; icode: 0;) alert icmp any any -> any any (msg:"ICMP Datagram Conversion Error (Undefined Code!)"; itype: 31;) alert icmp any any -> any any (msg:"ICMP Mobile Host Redirect"; itype: 32; icode: 0;) alert icmp any any -> any any (msg:"ICMP Mobile Host Redirect (Undefined Code!)"; itype: 32;) alert icmp any any -> any any (msg:"ICMP IPV6 Where-Are-You"; itype: 33; icode: 0;) alert icmp any any -> any any (msg:"ICMP IPV6 Where-Are-You (Undefined Code!)"; itype: 33;) alert icmp any any -> any any (msg:"ICMP IPV6 I-Am-Here"; itype: 34; icode: 0;) alert icmp any any -> any any (msg:"ICMP IPV6 I-Am-Here (Undefined Code!"; itype: 34;) alert icmp any any -> any any (msg:"ICMP Traceroute (Undefined Code!"; itype: 30;) alert icmp any any -> any any (msg:"ICMP Mobile Registration Request (Undefined Code!"; itype: 35;) alert icmp any any -> any any (msg:"ICMP Mobile Registration Request"; itype: 35; icode: 0;) alert icmp any any -> any any (msg:"ICMP Mobile Registration Reply (Undefined Code!)"; itype: 36;) alert icmp any any -> any any (msg:"ICMP SKIP"; itype: 39; icode: 0;) alert icmp any any -> any any (msg:"ICMP SKIP (Undefined Code!"; itype: 39;) alert icmp any any -> any any (msg:"ICMP Photuris Code 0 (Reserved)"; itype: 40; icode: 0;) alert icmp any any -> any any (msg:"ICMP Photuris Code 1 (Unknown Security Parameters Index)"; itype: 40; icode: 1;) alert icmp any any -> any any (msg:"ICMP Photuris Code 2 (Valid Security Parameters, But Authentication Failed)"; itype: 40; icode: 2;) alert icmp any any -> any any (msg:"ICMP Photuris Code 3 (Valid Security Parameters, But Decryption Failed)"; itype: 40; icode: 3;) alert icmp any any -> any any (msg:"ICMP Photuris (Undefined Code!)"; itype: 40;) alert icmp any any -> any any (msg:"ICMP Fragment Reassembly Time Exceeded"; itype: 11; icode: 1;) alert icmp any any -> any any (msg:"ICMP Information Request"; itype: 15; icode: 0;) alert icmp any any -> any any (msg:"ICMP Mobile Registration Reply"; itype: 36; icode: 0;) alert icmp any any -> any any (msg:"ICMP Traceroute"; itype: 30; icode: 0;) alert icmp any any -> any any (msg:"ICMP Time Exceeded (Undefined Code!)"; itype: 11;) alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 0 (unspecified Error)"; itype: 12; icode: 0;) alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 1 (Missing a Requiered Option)"; itype: 12; icode: 1;) alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 2 (Bad Length)"; itype: 12; icode: 2;) alert icmp any any -> any any (msg:"ICMP Parameter Problem (Undefined Code!)"; itype: 12;) alert icmp any any -> any any (msg:"ICMP Timestamp Request"; itype: 13; icode: 0;) alert icmp any any -> any any (msg:"ICMP Timestamp Request (Undefined Code!)"; itype: 13;) alert icmp any any -> any any (msg:"ICMP Timestamp Reply (Undefined Code!)"; itype: 14;) alert icmp any any -> any any (msg:"ICMP Information Request (Undefined Code!)"; itype: 15;) alert icmp any any -> any any (msg:"ICMP Information Reply"; itype: 16; icode: 0;) alert icmp any any -> any any (msg:"ICMP Information Reply (Undefined Code!)"; itype: 16;) alert icmp any any -> any any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0;) alert icmp any any -> any any (msg:"ICMP Address Mask Request (Undefined Code!)"; itype: 17;) alert icmp any any -> any any (msg:"ICMP Address Mask Reply"; itype: 18; icode: 0;) alert icmp any any -> any any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18;) alert icmp any any -> any any (msg:"ICMP Reserved for Security (Type 19)"; itype: 19; icode: 0;) alert icmp any any -> any any (msg:"ICMP Reserved for Security (Type 19) (Undefined Code!)"; itype: 19;) alert icmp any any -> any any (msg:"ICMP Timestamp Reply"; itype: 14; icode: 0;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS450 - PING - icmpenum v1.1.1"; id: 666; dsize: 0; itype: 8; icmp_id: 666 ; icmp_seq: 0;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS444 - PING - BayRS Router"; itype: 8; content: "0102030405060708090a0b0c0d0e0f"; depth: 32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS152 - Ping BSDtype"; itype: 8; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; depth: 32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS162 - PING-NMAP-ICMP"; dsize: 0; itype: 8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS449 - PING - Nemesis v1.1 Echo"; dsize: 20; itype: 8; icmp_id: 0; icmp_seq: 0; content: "|0000000000000000000000000000000000000000|";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS447 - PING - SING Echo from LINUX/*BSD"; id: 13170; dsize: 8; itype: 8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS448 - PING - SING Echo from Sun Solaris"; dsize: 8; itype: 8;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS151 - PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS153 - PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS154 - PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS155 - PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS157 - PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS158 - PING ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS159 - PING Microsoft Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PING *NIX Type"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS163 - PING Pinger Windows"; content:"|44617461000000000000000000000000|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS164 - PING Ping-O-MeterWindows"; content:"|4f4d 6574 6572 4f62 6573 6541 726d 6164|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS167 - PING TJPingPro1.1Build 2 Windows"; content:"|544a 5069 6e67 5072 6f20 6279 204a 696d|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS168 - PING WhatsupGold Windows"; content:"|5768 6174 7355 7020 2d20 4120 4e65 7477|";itype:8;depth:32;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS169 - PING Windows Type"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS28 - PING NMAP TCP";flags:A;ack:0;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS161 - PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:32;) # ------------------------- # MISC (general) # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Linux Rootkit 3 probe";flags:PA; content:"lrkr0x";) alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg: "IDS476 - MISC - xdmcp-query"; content: "|00 01 00 03 00 01 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg: "IDS409 - gopher-proxy"; content: "ftp|3a|"; content: "@/"; depth:4; flags:PA; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Linux Rootkit 4/5 probe";flags:PA; content:"satori";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Linux Rootkit 2 probe";flags:PA; content:"wh00t!";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Linux Rootkit probe";flags:PA; content:"d13hh["; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"HidePak backdoor probe";flags:PA; content:"StoogR";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"HideSource backdoor probe";flags:PA; content:"wank";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"sm4ck backdoor probe";flags:PA; content:"hax0r";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"sol25 backdoor probe";flags:PA; content:"friday";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Misc. backdoor probe";flags:PA; content:"backdoor"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Misc. backdoor probe";flags:PA; content:"r00t";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"Misc. backdoor probe";flags:PA; content:"rewt";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"4Dgifts SGI account probe";flags:PA; content:"4Dgifts";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"OutOfBox account probe";flags:PA; content:"OutOfBox";) alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg: "IDS461 - Ramen worm outgoing"; flags: PA; content: "GET "; depth: 8; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"EZsetup account probe";flags:PA; content:"OutOfBox";) alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg: "IDS460 - Ramen worm incoming"; flags: PA; content: "GET "; depth: 8; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"w00w00 backdoor probe";flags:PA; content:"w00w00";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS264 MISC DoS ath"; content:"+++ath"; nocase; itype: 8;) alert tcp any any -> any 21 (msg:"FTP - INFO - Anonymous FTP"; content:"anonymous"; nocase;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS438 - INFO - Ping BayRS Router"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f|"; depth: 32;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS247 - MISC - Large UDP Packet"; dsize: >4000;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS156 - INFO - Ping from Flowpoint2200 or Network Management Software"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f10|"; depth: 32;) alert tcp any any -> any 32771 (msg: "IDS429 - Portmap listing 32771"; flags: AP; rpc: 100000,*,*;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS420 - SourceRoute-UDP-lssre"; ipopts: lsrre ;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS418 - SourceRoute-UDP-lssr"; ipopts: lsrr ;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS117 - MISC-SourceRoute-ICMP-lssre";ipopts:lsrre;) alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg: "IDS396 - X-MITcookie"; flags: AP; content: "MIT-MAGIC-COOKIE-1";) alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg: "IDS395 - MISC - X-xopen"; flags: AP; content: "|6c00 0b00 0000 0000 0000 0000|";) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS422 - SourceRoute-UDP-ssrr"; ipopts: ssrr ;) alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Transfer"; content: "|FC|"; flags: AP; offset: 13;) alert tcp any any -> any 110 (msg:"INFO - BattleMail Traffic"; content:"BattleMail"; session:printable; logto:"Battlemail";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Outbound GNUTella Connect accept"; content: "GNUTELLA OK"; nocase; depth: 40;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Inbound GNUTella Connect request"; content: "GNUTELLA CONNECT"; nocase; depth: 40;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Inbound GNUTella Connect accept"; content: "GNUTELLA OK"; nocase; depth: 40;) alert tcp any any -> any 25 (msg:"INFO - BattleMail Traffic"; content:"BattleMail"; session:printable; logto:"Battlemail";) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Outbound GNUTella Connect request"; content: "GNUTELLA CONNECT"; nocase; depth: 40;) alert tcp $EXTERNAL_NET any -> $HOME_NET 9001 (msg: "IDS302 - MISC - HP Printer display hack"; flags:PA; content: "@PJL RDYMSG DISPLAY = "; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS300 - MISC - PCCS Mysql Database Admin Tool"; flags:PA; content: "pccsmysqladm/incs/dbconnect.inc"; nocase; depth: 36;) alert tcp any 5631 -> any any (msg:"MISC - Invalid PCAnywhere Login"; content:"Invalid login"; offset:5; depth:13;) alert udp $EXTERNAL_NET 53 -> $HOME_NET 0:52 (msg:"MISC-Source Port Traffic 0-52";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS118 - MISC-Traceroute ICMP";ttl:1;itype:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS3 - MISC-Traceroute TCP";ttl:1;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS03 - MISC-Traceroute UDP";ttl:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS421 - SourceRoute-TCP-lssre"; ipopts: lsrre ;) alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"IDS06 - MISC-Source Port Traffic 20 TCP"; flags:S; ) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS199 - CVE-1999-0265 - MISC-ICMPRedirectNet";itype:5;icode:0;) alert udp $EXTERNAL_NET 53 -> $HOME_NET 54:136 (msg:"MISC-Source Port Traffic 54-136";) alert tcp any any <> any 7777 (msg:"Napster 7777 Data"; flags:PA; content:".mp3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Attempted Administrator Login";flags:PA; content:"ADMINISTRATOR";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS116 - MISC-SourceRoute-ICMP-lssr";ipopts:lsrr;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC-IRDP-Router-Selection(l0phtattack)";itype:10;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS173 - MISC-IRDPRouterAdvertisement";itype:9;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS135 - CVE-1999-0265 - MISC-ICMPRedirectHost";itype:5;icode:1;) alert icmp $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"IDS238 - Traceroute IPOPTS"; ipopts: rr; itype: 0;) alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"IDS126 - Outgoing Xterm"; flags: SA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"MISC-Passwd-Attempt";flags:PA; content:"passwd";) alert udp $EXTERNAL_NET any -> $HOME_NET !520 (msg:"IDS115 - MISC-Traceroute-UDP";TTL:1;) alert udp $EXTERNAL_NET 53 -> $HOME_NET 138:1023 (msg:"MISC-Source Port Traffic 138-1023";) alert tcp $EXTERNAL_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt";flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS174 - MISC-IRDPRouterSelection";itype:10;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (ipopts: ssrr; msg: "IDS424 - Source routed packet";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"VNC Active on Network"; flags:PA; content:"RFB 003.003";) alert tcp any any <> any 6699 (msg:"Napster Client Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 6666 (msg:"Napster 6666 Data"; flags:PA; content:".mp3"; nocase;) alert tcp $EXTERNAL_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt";flags:S;) alert tcp any any <> any 4444 (msg:"Napster 4444 Data"; flags:PA; content:".mp3"; nocase;) alert tcp any any <> any 8875 (msg:"Napster Server Login"; flags:PA; content:"anon@napster.com";) alert udp $EXTERNAL_NET any -> $HOME_NET any (ipopts: ssrr; msg: "Source routed packet";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS419 - SourceRoute-TCP-lssr"; ipopts: lsrr ;) alert tcp any any <> any 5555 (msg:"Napster 5555 Data"; flags:PA; content:".mp3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"IDS07 - MISC-Source Port Traffic 53 TCP"; flags:S;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (ipopts: lsrr; msg: "Source routed packet";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS264 MISC DoS ath0"; content: "+++ath0"; nocase; itype: 8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS260 - MISC Annex Terminal DOS"; flags:PA;dsize:>1446; content:"ping?query";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS204 - NT NULL session"; flags:PA; content: "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS246 - MISC - Large ICMP Packet"; dsize: >800;) alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"IDS129 - CVE-1999-0430 - Cisco Catalyst Remote Access"; flags:SA;) alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"IDS239 - MISC-PCAnywhere Startup"; content:"ST"; depth: 2;) alert tcp $HOME_NET 5632 -> $EXTERNAL_NET any (msg:"IDS240 - MISC-PCAnywhere Failed Login";flags:PA; content:"Invalid login"; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"IDS229 - Insecure TIMBUKTU Password"; content: "|05 00 3E|"; flags: AP; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS423 - SourceRoute-TCP-ssrr"; ipopts: ssrr ;) # ------------------------- # NETBIOS # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"Possible RFParalyze Attempt"; flags:PA; content:"BEAVIS"; content:"yep yep";) alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b 06 10 40 14 d1 02 19|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS334 - NETBIOS-SMB-IPC$access";flags:PA; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS335 - NETBIOS-SMB-IPC$access";flags:PA; content:"\\IPC$|00 41 3a 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS336 - NETBIOS-SMB-D$access";flags:PA; content:"\\D$|00 41 3a 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS337 - NETBIOS-SMB-CD...";flags:PA; content:"\\...|00 00 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS338 - NETBIOS-SMB-CD..";flags:PA; content:"\\..|2f 00 00 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "IDS339 - NETBIOS-SMB-C$access"; flags: AP; content: "|5c|C$|00 41 3a 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS340 - NETBIOS-SMB-ADMIN$access";flags:PA; content:"\\ADMIN$|00 41 3a 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"IDS341 - NETBIOS-Samba-clientaccess";flags:PA; content:"|00|Unix|00|Samba";) # ------------------------- # RPC # ------------------------- alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS10 - RPC - portmap-request-rstatd"; content: "|01 86 A0 00 00|";) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS25 - RPC - portmap-request-selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS19 - RPC - portmap-request-amountd"; content:"|01 87 03 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS16 - RPC - portmap-request-bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS17 - RPC - portmap-request-cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS13 - RPC - portmap-request-mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS21 - RPC - portmap-request-nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS22 - RPC - portmap-request-pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS23 - RPC - portmap-request-rexd";content:"|01 86 B1 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS18 - RPC - portmap-request-admind"; content:"|01 86 F7 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS20 - RPC - portmap-request-sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8;) alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC Info Query"; content:"|00 01 86 A0 00 00 00 02 00 00 00 04|";) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS15 - RPC - portmap-request-status"; content:"|01 86 B8 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS24 - RPC - portmap-request-ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS14 - RPC - portmap-request-yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS12 - RPC - portmap-request-ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS125 - RPC - portmap-request-ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8;) alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"IDS09 - RPC-rstatd-query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"IDS217 - RPC AMD Overflow"; flags:PA; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|";depth: 32; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"IDS241 - CVE-1999-0003 - RPC ttdbserv Solaris Kill"; flags: PA; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - CVE-1999-0003 - RPC ttdbserv Solaris Overflow"; flags: PA; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";) alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"IDS133 - RPC - portmap-request-rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8;) # ------------------------- # Scans/Probes # ------------------------- alert tcp $HOME_NET 31337 -> $EXTERNAL_NET 80 (msg: "IDS459 - SCAN - Synscan Microsoft"; id: 39426; flags: SF;) alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg: "IDS445 - SCAN - Looking for ACKcmdC Trojan"; seq: 101058054; ack: 101058054; flags: A;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS443 - SCAN - TFN Probe"; id: 678; itype: 8; content: "1234";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS441 - SCAN - Synscan Portscan"; id: 39426; flags: SF;) alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg: "IDS439 - Scan - myscan"; ttl: >220; ack: 0; flags: S;) alert tcp any 22 -> any any (msg:"SCAN - Possible ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00/";) alert tcp any 31790 -> any 31789 (msg:"IDS314 - SCAN - Trojan-probe-hack-a-tack"; content: "A"; depth: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg: "IDS408 - XTACACS-logout"; content: "|8007 0000 0700 0004 0000 0000 00|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS415 - WEB - Whisker Splicing Attack TAB"; dsize: <5; flags: AP; content: "|09|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS371 - SCAN-Cybercop-SMTPexpn";flags:PA; content:"expn cybercop";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS372 - SCAN-Cybercop-SMTPehlo";flags:PA; content:"ehlo cybercop|0a|quit|0a|";) alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"IDS363 - SCAN-Cybercop-UDP-bomb"; content:"cybercop";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS374 - SCAN-Cybercop-WEB";flags:PA; content:"get /cybercop";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS311 - SCAN - L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;) alert udp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS308 - SCAN - Webtrends Scanner UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|";) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "IDS307 - SCAN - Webtrends Scanner Ping"; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"; itype: 8; icode: 0;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS310 - SCAN - L3retriever HTTP Probe"; content: "User-Agent|3a| Java1.2.1|0d0a|"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS309 - SCAN - Webtrends HTTP Probe"; content: "User-Agent|3a| Webtrends Security Analyzer|0d0a|"; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg: "IDS303 - SCAN - ident Version Probe"; flags:PA; content: "VERSION|0A|"; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS301 - SCAN -Nessus 404 Check"; flags: PA; content: "GET /nessus_is_probing_you_"; depth: 32;) alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN - Possible Amanda Client Version Query"; content:"Amanda"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS296 - SCAN - Whisker Splicing Attack"; content: "|20|"; flags: AP; dsize: 1;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg: "IDS278 - SCAN -named Version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase; offset: 12; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS150 - SCAN-Cybercop OS Probe sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS145 - SCAN-Cybercop-OS-Probe sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS146 - SCAN-Cybercop OS Probe sf12"; flags: SF12; dsize: 0;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS27 - SCAN-FIN"; flags: F;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS331 - SCAN-ISS-FTPcheck";flags:PA; content:"pass -iss@iss";) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS149 - SCAN-Cybercop OS Probe pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: 16;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN-ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: 32;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS198 - SCAN-SYN FIN";flags:SF;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS29 - SCAN-Possible Queso Fingerprint attempt";flags:S12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS05 - SCAN-Possible NMAP Fingerprint attempt";flags:SFPU;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS04 - SCAN-NULL Scan";flags:0; seq:0; ack:0;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS144 - SCAN-FullXMASScan";flags:SRAFPU;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN-Whisker!";flags:PA; content:"HEAD/./";) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS329 - SCAN-SATAN-FTPcheck";flags:PA; content:"pass -satan";) alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"IDS132 - CVE-1999-0612 - Cybercop Finger Query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: 10;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SCAN-pISS-FTPcheck";flags:PA; content:"pass -cklaus";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- DBML Parser access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS330 - SCAN-SAINT-FTPcheck";flags:PA; content:"pass -saint";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Shopping cart access attempt"; content:"/quikstore.cfg"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- BigConf access attempt"; content:"/bigconf.cgi"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- HEAD"; content:"HEAD"; offset: 0; depth: 4; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- head"; content:"|68 65 61 64|"; offset: 0; depth: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 274 - SCAN - Whisker Stealth- Start Stop Web access attempt"; content:"/cfide/administrator/startstop.html"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- cfappman access attempt"; content:"/cfappman/index.cfm"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth - Mall log order access attempt"; content:"/mall_log_files/order.log"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0149 - SCAN - Whisker Stealth Mode 8- wrap CGI access attempt"; content:"/cgi-bin\\wrap"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Order log access attempt"; content:"/admin_files/order.log"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- WS_FTP.INI access attempt "; content:"/ws_ftp.ini"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Mall log order access attempt"; content:"/mall_log_files\\order.log"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Handler CGI access attempt"; content:"/cgi-bin\\handler"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"IDS236 - SCAN-IP Eye SYN Scan"; flags: S; seq: 1958810375;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 162 - SCAN - Whisker Stealth- IIS search97 access attempt"; content:"/search97.vts"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"IDS332 - SCAN-ADM-FTPcheck";flags:PA; content:"PASS ddd@|0a|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- cfappman access attempt"; content:"/cfappman\\index.cfm"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Start Stop Web access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mylog access attempt"; content:"/mylog.phtml"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mlog access attempt"; content:"/mlog.phtml"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0039 - SCAN - Whisker Stealth Mode 8- Web Distribution access attempt"; content:"/cgi-bin\\webdist.cgi"; nocase; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 32771: (msg:"IDS26 - NFS Showmount"; flags:PA; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; offset: 16; depth: 32;) alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"IDS277 - NAMED Iquery Probe"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Order log access attempt"; content:"/admin_files\\order.log"; nocase; flags: PA;) # ------------------------- # SMTP # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS31 - SMTP-expn-root";flags:PA; content:"expn root"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS32 - SMTP-expn-decode";flags:PA; content:"expn decode"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS120 - SMTP-exploit41";flags:PA; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS119 - SMTP-exploit555";flags:PA; content:"mail from|3a20227c|"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS122 - SMTP-exploit565";flags:PA; content:"MAIL FROM|3a207c|/usr/ucb/tail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS373 - SMTP-vrfy-decode";flags:PA; content:"vrfy decode"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS121 - SMTP-exploit564";flags:PA; content:"rcpt to|3a| decode"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS143 - CVE-1999-0208 - SMTP-MajordomoIFS";flags:PA; content:"eply-to|3a| a~.`/bin/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261 - SMTP Chameleon Overflow"; content: "HELP "; nocase; flags: PA; dsize: >500; depth: 5;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS141 - CVE-1999-0204 - SMTP-exploit869c";flags:PA; content:"|0a|Croot|0d0a|Mprog";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS123 - SMTP-exploit8610";flags:PA; content:"Croot|0d0a|Mprog, P=/bin/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS172 - CVE-1999-0095 - SMTP Exploit558"; flags: PA; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";) alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"IDS249 - SMTP Relaying Denied"; flags:AP; content: "5.7.1"; depth:70;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS142 - CVE-1999-0204 - SMTP-exploit869d";flags:PA; content:"|0a|Croot|0a|Mprog";) alert tcp $EXTERNAL_NET 113 -> $HOME_NET 25 (msg:"IDS140 - CVE-1999-0204 - SMTP-exploit869b";flags:PA; content:"|0a|D/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS139 - CVE-1999-0204 - SMTP-exploit869a";flags:PA; content:"|0a|C|3a|daemon|0a|R";) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"IDS124 - SMTP-exploit8610ha";flags:PA; content:"Croot|09090909090909|Mprog,P=/bin";) # ------------------------- # TELNET # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"IDS369 - TELNET - resolv_host_conf";flags:PA; content:"resolv_host_conf";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"IDS370 - TELNET - Livingston-DoS";flags:PA; content:"|fff3 fff3 fff3 fff3 fff3|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"IDS367 - TELNET - ld_library_path";flags:PA; content:"ld_library_path";) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"IDS366 - TELNET - WinGate-Active"; content:"WinGate>"; flags:PA;) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"IDS365 - TELNET - NotOnConsole"; flags:PA; content:"not on system console"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg: "IDS304 - TELNET - SGI telnetd format bug"; flags:PA; content: "_RLD"; content: "/bin/sh";) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET - Attempted SU from wrong group"; content: "|74 6F 20 73 75 20 72 6F 6F 74 2E|";) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"IDS127 - TELNET - Login Incorrect"; content:"Login incorrect"; flags:PA;) alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"IDS08 - TELNET - daemon-active";flags:PA; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|";) # ------------------------- # Virus Related # ------------------------- alert tcp any 110 -> any any (msg:"MAILVIRUS - SnowWhite Trojan Incoming"; content:"Suddlently";) alert tcp any any -> any 25 (msg:"MAILVIRUS - SnowWhite Trojan Outgoing"; content:"Suddlently";) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming pif Worm"; content: ".pif"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "myromeo.exe"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "myjuliet.chm"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "ble bla"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "I Love You";) alert tcp any 110 -> any any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "Sorry... Hey you !";) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "my picture from shake-beer";) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming scr Worm"; content: ".scr"; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming shs Worm"; content: ".shs"; nocase;) alert tcp any 110 -> any any (msg:"MAILVIRUS - LURHQ-01 - VIRUS - Possible Incoming QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|";) alert tcp any any -> any 139 (msg:"MAILVIRUS - LURHQ-02 - VIRUS - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|";) alert tcp any 110 -> any any (msg:"MAILVIRUS - Possible incoming Matrix worm"; content: "Software provide by [MATRiX]"; nocase; ) alert tcp any any -> any 25 (msg:"MAILVIRUS - Possible Outgoing Matrix Worm"; content: "Software provide by [MATRiX]"; nocase; ) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming MyRomeo Worm"; content: "Matrix has you...";) alert tcp $HOME_NET any -> any 25 (msg:"MAILVIRUS - Successful eurocalculator execution"; flags:PA; content: "funguscrack@hotmail.com"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MAILVIRUS - Possible Outgoing eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase;) alert tcp any any -> any 25 (msg:"MCAFEE ID 98696 - VIRUS - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon";) alert tcp any any -> any 110 (msg:"MCAFEE ID 98696 - VIRUS - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10389 - Virus - Possible Incoming Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10497 - Virus - Possible Incoming Tune.vbs"; content: "filename=\"tune.vbs""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10109 - Virus - Possible Incoming NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10109 - Virus - Possible Incoming NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - MCAFEE ID 10475 - Virus - Possible Outgoing NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10109 - Virus - Possible Incoming NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10109 - Virus - Possible Incoming NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10145 - Virus - Possible Incoming Papa Worm"; content:"filename=\"XPASS.XLS\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10225 - Virus - Possible Incoming Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10388 - Virus - Possible Incoming BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10471 - Virus - Possible Incoming ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Video Worm"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10509 - Virus - Possible Incoming wscript.KakWorm"; content: "filename=\"KAK.HTA""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10361 - Virus - Virus - Possible Incoming Suppl Worm"; content:"filename=\"Suppl.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - MCAFEE ID 10476 - Virus - Possible Outgoing NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - MCAFEE ID 10475 - Virus - Possible Outgoing NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10502 - Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"MONEY.DOC""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase;) alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"MCAFEE ID 98552 - Virus - Possible Incoming IROK Worm"; content:"filename=\"irok.exe\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10355 - Virus - Possible Incoming Fix2001 Worm"; content:"filename=\"Fix2001.exe\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10505 - Virus - Possible Incoming Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10478 - Virus - Possible Incoming The_Fly Trojan"; content: "filename=\"THE_FLY.CHM""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10502 - Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10467 - Virus - Possible Incoming Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - MCAFEE ID 10475 - Virus - Possible Incoming NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10276 - Virus - Possible Incoming ToadieE-mail Trojan"; content:"filename=\"Toadie.exe\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10175 - Virus - Possible Incoming PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10144 - Virus - Possible Incoming Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10418 - Virus - Possible Incoming Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - MCAFEE ID 10476 - Virus - Possible Incoming NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10456 - MCAFEE ID 10471 - MCAFEE ID 10467 - Virus - Possible Incoming MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10461 - Virus - Possible Incoming Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10144 - Virus - Possible Outgoing Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - MCAFEE ID 10475 - Virus - Possible Incoming NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10540 - Virus - Possible Incoming NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 98661 - Virus - Possible Incoming Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp any any -> any 25 (msg:"Possible MailVirus - Outgoing .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp any 110 -> any any (msg:"Possible MailVirus - Incoming .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10456 - MCAFEE ID 10471 - MCAFEE ID 10467 - Virus - Possible Outgoing MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 98661 - Virus - Possible Incoming Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10389 - Virus - Possible Outgoing Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 98661 - Virus - Possible Outgoing Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10388 - Virus - Possible Outgoing BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Suppl Worm"; content:"filename=\"Suppl.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10471 - Virus - Possible Outgoing ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10467 - Virus - Possible Outgoing Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10225 - Virus - Possible Outgoing Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 98661 - Virus - Possible Outgoing Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Video Worm"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 98674 - Virus - Possible Outgoing Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 98674 - Virus - Possible Incoming Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 98661 - Virus - Possible Outgoing Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 98661 - Virus - Possible Incoming Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10418 - Virus - Possible Outgoing Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 98552 - Virus - Possible Outgoing IROK Worm"; content:"filename=\"irok.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10175 - Virus - Possible Outgoing PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10276 - Virus - Possible Outgoing ToadieE-mail Trojan"; content:"filename=\"Toadie.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10505 - Virus - Possible Outgoing Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"MCAFEE ID 10450 - Virus - Possbile Incoming Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10355 - Virus - Possible Outgoing Fix2001 Worm"; content:"filename=\"Fix2001.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10461 - Virus - Possible Outgoing Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10145 - Virus - Possible Outgoing Papa Worm"; content:"filename=\"XPASS.XLS\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10109 - Virus - Possible Outgoing NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10109 - Virus - Possible Outgoing NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10109 - Virus - Possible Outgoing NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10450 - Virus - Possbile Outgoing Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10478 - Virus - Possible Outgoing The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10502 - Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10502 - Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10509 - Virus - Possible Outgoing wscript.KakWorm"; content: "filename=\"KAK.\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10497 - Virus - Possible Outgoing Tune.vbs"; content: "filename=\"tune.vbs\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10540 - Virus - Possible Outgoing NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MCAFEE ID 10109 - Virus - Possible Outgoing NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) # ------------------------- # WEB-CGI # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS462 - WEB-CGI - yabb"; flags: PA; content: "YaBB.pl"; content: "../";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS469 - WEB-CGI Websendmail"; flags: PA; content: "/websendmail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS472 - WEB-CGI Webgais"; flags: PA; content: "/webgais"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS471 - WEB-CGI Webplus Directory Trasversal"; flags: PA; content: "/webplus?script"; nocase; content: "../";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS470 - WEB-CGI Webplus Version Query"; flags: PA; content: "/webplus?about "; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS464 - WEB-CGI Wrap"; flags: PA; content: "/cgi-bin/wrap?"; content: "../";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS468 - WEB-CGI Websitepro-path"; flags: PA; content: " /HTTP/1."; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS467 - WEB-CGI Webspeed"; flags: PA; content: "wsisa.dll/WService="; nocase; content: "WSMadmin"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS466 - WEB-CGI Whoisraw"; flags: PA; content: "whois_raw.cgi?"; content: "|0a|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS465 - WEB-CGI Windmail"; flags: PA; content: "windmail.exe?"; nocase; content: "-n";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS463 - WEB-CGI WWWboard-passwd"; flags: PA; content: "/wwwboard/passwd.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS473 - WEB-CGI Webdriver"; flags: PA; content: "/webdriver"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS413 - Web cgi imagemap overflow psh"; dsize: >1000; flags: AP; content: "imagemap.exe?"; depth: 32; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS412 - Web cgi imagemap overflow"; dsize: >1000; flags: A; content: "imagemap.exe?"; depth: 32; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS290 - WEB-CGI - infosearch fname"; flags:PA; content: "fname=|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-2000-0670 - BUGTRAQ ID 1469 - WEB-CGI - cvsweb.cgi attempt"; flags:PA; content:"cvsweb.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH-publish CGI access attempt";flags:PA; content:"nph-publish"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Glimpse CGI access attempt";flags:PA; content:"/glimpse"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS228 - CVE-1999-0237 - Guestbook CGI access attempt";flags:PA; content:"/cgi-bin/guestbook.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS235 - CVE-1999-0148 - CGI-HANDLERprobe!"; flags:PA; content:"/handler"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0264 - WEB-CGI-Htmlscript CGI access attempt";flags:PA; content:"/htmlscript"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0266 - WEB-CGI-Info2 www CGI access attempt";flags:PA; content:"/info2www"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Maillist CGI access attempt";flags:PA; content:"/maillist.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS224 - CVE-1999-0045 - NPH CGI access attempt";flags:PA; content:"nph-test-cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0039 - WEB-CGI-Webdist CGI access attempt";flags:PA; content:"webdist.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Perlshop CGI access attempt";flags:PA; content:"/perlshop.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS232 - WEB-CGI-PHP CGI access attempt";flags:PA; content:"php.cgi?/"; offset: 5; depth: 32; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0467 - WEB-CGI-Rguest CGI access attempt";flags:PA; content:"/rguest.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rwwwshell CGI access attempt";flags:PA; content:"rwwwshell.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS218 - CVE-1999-0070 - TEST-CGI probe"; flags:PA; content:"test-cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS221 - CVE-1999-0612 - Finger CGI access attempt";flags:PA; content:"cgi-bin/finger"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0177 - WEB-CGI-Upload CGI access attempt";flags:PA; content:"uploader.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0174 - WEB-CGI-CGI view-source access attempt";flags:PA; content:"/view-source?../../../../../../../etc/passwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Textcounter CGI access attempt";flags:PA; content:"textcounter.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1179 - WEB-CGI-redirect";flags:PA; content:"/redirect"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0147 - WEB-CGI-Aglimpse CGI access attempt";flags:PA; content:"/aglimpse"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS225 - CVE-1999-0066 - CGI-AnyForm access attempt";flags:PA; content:"/AnForm2"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Args CGI access attempt";flags:PA; content:"/args.bat"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AT-admin CGI access attempt";flags:PA; content:"/AT-admin.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVS-1999-0937 - WEB-CGI-Bnbform CGI access attempt";flags:PA; content:"/bnbform.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0146 - WEB-CGI-Campas CGI access attempt";flags:PA; content:"/campas"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Man access attempt";flags:PA; content:"/man.sh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "CVE-1999-0149 - IDS234 - WEB CGI Wrap"; flags:PA; content: "wrap?/";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0270 - WEB-CGI-CGI pf display access attempt";flags:PA; content:"/pfdisplay.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Files CGI access attempt";flags:PA; content:"/files.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0270 - WEB-CGI-Cgichk Pf display access attempt";flags:PA; content:"/pfdispaly.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0176 - WEB-CGI-Webgais CGI access attempt";flags:PA; content:"webgais"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0934 - WEB-CGI-Classifieds CGI access attempt";flags:PA; content:"cgi-bin/classifieds.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Edit CGI access attempt";flags:PA; content:"/edit.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Environ CGI access attempt";flags:PA; content:"/environ.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0262 - WEB-CGI-Faxsurvey probe"; flags:PA; content:"/faxsurvey"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Filemail CGI access attempt";flags:PA; content:"/filemail.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS219 - WEB-CGI-Perl access attempt";flags:PA; content:"perl.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS220 - WEB-CGI-snork.bat";flags:PA; content:"snork.bat"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-bash shell";flags:PA; content:"/bash"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-csh shell";flags:PA; content:"cgi-bin/csh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datacopier.cgi";flags:PA; content:"/day5datacopier.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datanotifier.cgi";flags:PA; content:"/day5datanotifier.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-ksh shell";flags:PA; content:"/ksh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-post-query";flags:PA; content:"/post-query"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-flexform";flags:PA; content:"/flexform"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-rsh";flags:PA; content:"/rsh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 142 - WEB-CGI-bb-hist.sh";flags:PA; content:"/bb-hist.sh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.cmd";flags:PA; content:"snorkerz.cmd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0936 - WEB-CGI-survey";flags:PA; content:"survey.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-tsch shell";flags:PA; content:"tcsh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0236 - IDS227 - Web-CGI-Scriptalias"; flags: PA; content: "///";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0276 - IDS211 - Web-CGI-w3-msql-solx86"; flags: PA; content: "//bin//shA-cA//usr//openwin"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS231 - CVE-1999-0178 - CGI-win-c-sample"; flags: PA; content: "win-c-sample.exe"; nocase;) alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"IDS276 - Bugzilla 2.8 Exploit"; flags:PA; content: "blaat@blaat.com"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0509 - WEB-CGI-rksh";flags:PA; content:"/rksh"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wais";flags:PA; content:"wais.pl";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0467 - WEB-CGI-Wguest CGI access attempt";flags:PA; content:"wguest.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWW-SQL CGI access attempt";flags:PA; content:"www-sql"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-LWGate Attempt";flags:PA; content:"/LWGate"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-archie";flags:PA; content:"/archie"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-calendar";flags:PA; content:"cgi-bin/calendar"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS128 - CVE-1999-0067 - CGI phf attempt";flags:PA; content:"/phf";flags:AP; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS226 - CVE-1999-0172 - CGI-formmail";flags:PA; content:"/formmail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-1970 - BUGTRAQ ID 1808 - WEB-CGI-visadmin.exe";flags:PA; content:"visadmin.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w2tvars";flags:PA; content:"w3tvars.pm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-dumpenv.pl";flags:PA; content:"/dumpenv.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwadmin";flags:PA; content:"wwwadmin.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 491 - WEB-CGI-ppdscgi";flags:PA; content:"/ppdscgi.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sendform.cgi";flags:PA; content:"sendform.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-upload.pl";flags:PA; content:"upload.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm2";flags:PA; content:"/AnyForm2"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-CGI-MachineInfo";flags:PA; content:"/MachineInfo"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0196 - WEB-CGI-Websendmail CGI access attempt";flags:PA; content:"websendmail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0276 - IDS210 - WEB-CGI-w3-msql";flags:PA; content:"w3-msql"; nocase;) # ------------------------- # WEB-COLDFUSION # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"ColdFusion cfcache.map";flags:PA; content:"cfcache.map"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550/1021 - IDS269 - CAN-2000-0189 - Coldfusion onrequestend.cfm"; flags: PA; content: "onrequestend.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1021 ColdFusion application.cfm";flags:PA; content:"cfdocs/exampleapp/email/application.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1021 ColdFusion application.cfm";flags:PA; content:"cfdocs/exampleapp/publish/admin/application.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 229 ColdFusion getfile vulnerability";flags:PA; content:"cfdocs/exampleapp/email/getfile.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 274 ColdFusion server start/stop DoS";flags:PA; content:"cfide/Administrator/startstop.html"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"ColdFusion addcontent.cfm probe";flags:PA; content:"cfdocs/exampleapp/publish/admin/addcontent.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Connection to Cold Fusion Admin"; content:"/cfide/administrator/index.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-datasourcepassword";flags:PA; content:"CF_SETDATASOURCEPASSWORD()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-fileexists";flags:PA; content:"cfdocs/snippets/fileexists.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - CVE-1999-0455 - ColdFusion-exprcalc";flags:PA; content:"cfdocs/expeval/exprcalc.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-Example-parks";flags:PA; content:"cfdocs/examples/parks/detail.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-Example-cfappman";flags:PA; content:"/cfappman/index.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-Example-beaninfo";flags:PA; content:"cfdocs/examples/cvbeans/beaninfo.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-evaluate";flags:PA; content:"cfdocs/snippets/evaluate.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-display";flags:PA; content:"cfdocs/expeval/displayopenedfile.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-get datasourceusername";flags:PA; content:"CF_GETDATASOURCEUSERNAME()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-datasourceusername";flags:PA; content:"CF_SETDATASOURCEUSERNAME()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - IDS250 - CAN-1999-0477 - ColdFusion-openfile";flags:PA; content:"cfdocs/expeval/openfile.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-datasource";flags:PA; content:"CF_ISCOLDFUSIONDATASOURCE()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-admin-encrypt";flags:PA; content:"CFUSION_ENCRYPT()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-db connections flush";flags:PA; content:"CFUSION_DBCONNECTIONS_FLUSH()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-get odbc dsn";flags:PA; content:"CFUSION_GETODBCDSN()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-get odbc ini";flags:PA; content:"CFUSION_GETODBCINI()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-admin-decrypt";flags:PA; content:"CFUSION_DECRYPT()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-mainframeset";flags:PA; content:"cfdocs/examples/mainframeset.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-sendmail";flags:PA; content:"cfdocs/expeval/sendmail.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-set odbc ini";flags:PA; content:"CFUSION_SETODBCINI()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-settings refresh";flags:PA; content:"CFUSION_SETTINGS_REFRESH()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-sourcewindow";flags:PA; content:"cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-verify mail";flags:PA; content:"CFUSION_VERIFYMAIL()"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-viewexample";flags:PA; content:"cfdocs/snippets/viewexample.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - WEB-COLDFUSION-cfmlsyntaxcheck";flags:PA; content:"cfdocs/cfmlsyntaxcheck.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "BUGTRAQ ID 550 - IDS268 - CAN-2000-0189 - Coldfusion application.cfm"; flags: PA; content: "application.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - IDS269 - CAN-2000-0189 - Coldfusion onrequestend.cfm"; flags: PA; content: "onrequestend.cfm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 550 - ColdFusion-gettempdirectory";flags:PA; content:"cfdocs/snippets/gettempdirectory.cfm"; nocase;) # ------------------------- # WEB-FRONTPAGE # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-_vti_rpc";flags:PA; content:"_vti_rpc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-fpcount.exe";flags:PA; content:"fpcount.exe"; nocase;) alert tcp any any -> any 80 (msg:"WEB-FRONTPAGE - (info) FrontPage Posting"; flags: PA; content:"POST"; content:"author.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll"; content: "_vti_bin/shtml.dll"; nocase; flags: AP;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-cfgwiz.exe";flags:PA; content:"cfgqiz.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.htm";flags:PA; content:"_private/orders.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-fpsrvadm.exe";flags:PA; content:"fpsrvadm.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-fpremadm.exe";flags:PA; content:"fpremadm.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-fpadmin.htm";flags:PA; content:"admisapi/fpadmin.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-Fpadmcgi.exe";flags:PA; content:"scripts/Fpadmcgi.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results.htm";flags:PA; content:"_private/form_results.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.txt";flags:PA; content:"_private/orders.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-contents.htm";flags:PA; content:"admcgi/contents.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.htm";flags:PA; content:"_private/registrations.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-authors.pwd";flags:PA; content:"authors.pwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-author.exe";flags:PA; content:"_vti_bin/_vti_aut/author.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1205 - FrontPage-administrators.pwd";flags:PA; content:"administrators.pwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-admin.pl";flags:PA; content:"admin.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results";flags:PA; content:"_private/form_results.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-access.cnf";flags:PA; content:"_vti_pvt/access.cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-register.txt";flags:PA; content:"_private/register.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.txt";flags:PA; content:"_private/registrations.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-service.cnf";flags:PA; content:"_vti_pvt/service.cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1205 - FrontPage-service.pwd";flags:PA; content:"service.pwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-service.stp";flags:PA; content:"_vti_pvt/service.stp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-services.cnf";flags:PA; content:"_vti_pvt/services.cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.dll";flags:PA; content:"_vti_bin/shtml.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-2000-0413 - CAN-2000-0709 - BUGTRAQ ID 1608 - BUGTRAQ ID 1174 - FrontPage-shtml.exe";flags:PA; content:"_vti_bin/shtml.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-svcacl.cnf";flags:PA; content:"_vti_pvt/svcacl.cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-users.pwd";flags:PA; content:"users.pwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-writeto.cnf";flags:PA; content:"_vti_pvt/writeto.cnf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS248 - Web-Frontpage fourdots request"; flags: PA; content: "|2e 2e 2e 2e 2f|"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-2000-0260 - IDS271 - WEB-FrontPage - dvwssr request"; flags: PA; content: "dvwssr.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"FrontPage-register.htm";flags:PA; content:"_private/register.htm"; nocase;) # ------------------------- # WEB-IIS # ------------------------- alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Samples/Knowledge/Push/ViewCode.asp"; flags: PA; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 193 IIS-srch.asp";flags:PA; content:"/issamples/query.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 256 IIS-_Site Server Config";flags:PA; content:"adsamples/config/site.csc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 529 IIS-msadc/msadcs.dll";flags:PA; content:"msadc/msadcs.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 286 CVE-1999-0874 IIS/JET VBA probe";flags:PA; content:"/scripts/samples/details.idc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 286 CVE-1999-0874 IIS/JET VBA probe";flags:PA; content:"/scripts/samples/ctguestb.idc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 2110 IIS-achg.htr Attempt";flags:PA; content:"iisadmpwd/achg.htr"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 2126 IIS-carbo.dll";flags:PA; content:"carbo.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 286 CVE-1999-0874 IIS/JET VBA probe";flags:PA; content:"/advworks/equipment/catalog_type.asp"; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Codebrowser access attempt"; flags:PA; content:"/selector/showcode.asp"; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Knowledge/Membership/Inspired/ViewCode.asp"; flags: PA; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; flags: PA; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1818 CVE-1999-0191 - IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe"; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; flags: PA; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Samples/Knowledge/Search/ViewCode.asp"; flags: PA; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//SiteServer/Publishing/viewcode.asp"; flags: PA; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Attempt at II5 directory display"; content:"ServerVariables_Jscript.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Attempt at II5 cross-site scripting"; content:"Form_JScript.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 189 - IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 189 - IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 189/387/1193/1488 - IIS-admin-dll-serv";flags:PA; content:"/scripts/iisadmin/ism.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 267 counter.exe probe";flags:PA; content:"/scripts/counter.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 2110 CVE-2000-0303 - IIS-iisadmpwd";flags:PA; content:"iisadmpwd/aexp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 2110 CAN-1999-0407 - IIS-anot.htr Attempt";flags:PA; content:"iisadmpwd/anot"; nocase;) alert tcp any any -> $HOME_NET 80 (msg:"IIS Showcode access attempt"; content:"//Sites/Samples/Knowledge/Membership/Inspired/ViewCode.asp"; flags: PA; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Attempt at II5 cross-site scripting"; content:"Form_JScript.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Attempt at II5 directory display"; content:"ServerVariables_Jscript.asp"; nocase;) alert tcp any 80 -> any any (msg:"WEB-IIS - Unauthorized IP Access Attempt"; flags:PA; content:"403"; content:"Forbidden\:";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS305 - WEB IIS - View Source via Translate Header"; flags:PA; content: "Translate|3a| F"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-getdrvrs";flags:PA; content:"scripts/tools/getdrvrs.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-fpcount";flags:PA; content:"scripts/fpcount.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-exec-srch";flags:PA; content:"#filename=*.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-del";flags:PA; content:"&del+/s+c|3a|\\*.*"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 167 - IIS-codebrowser SDK";flags:PA; content:"iissamples/sdk/asp/docs/codebrws.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0449 - IIS-codebrowser Exair";flags:PA; content:"iissamples/exair/howitworks/codebrws.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-cmd?";flags:PA; content:".cmd?&"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-_vti_inf";flags:PA; content:"_vti_inf.html"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-2000-0726 - BUGTRAQ ID 1623 - IIS-CGImail";flags:PA; content:"scripts/CGImail.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-bdir";flags:PA; content:"scripts/iisadmin/bdir.htr"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0233 - IIS-bat?";flags:PA; content:".bat?&"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-asp-srch";flags:PA; content:"#filename=*.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-asp-dot";flags:PA; content:".asp."; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0278 - IIS-asp$data";flags:PA; content:".asp|3a3a|$data"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 189 - IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 189 - IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-admin-default";flags:PA; content:"scripts/iisadmin/default.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-idc-srch";flags:PA; content:"#filename=*.idc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-*.idc";flags:PA; content:"*.idc"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-admin";flags:PA; content:"scripts/iisadmin"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-uploadn";flags:PA; content:"scripts/uploadn.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1084 - Attempt to retrieve ASP contents"; flags:PA; content:"%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1861 - Attempt to retrieve ASP contents"; flags:PA; content:"GET /null.htw?CiWebHitsFile";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1193 - WEB-IIS ISM.DLL Exploit Attempt"; flags:PA; content:"%20%20%20%20%20.htr"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB IIS - Index Server File Sourcecode Request"; flags:PA; content:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IIS - IDS237 Webhits"; content: ".htw"; flags: PA; dsize: >400;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS200 - Web-IIS Encoding"; flags:PA; content: "|25 31 75|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS - Possible Attempt at FPCOUNT.EXE DoS"; flags:PA; content:"fpcount.exe"; content:"Digits=-"; nocase;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1031:1035 (msg:"IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags:S;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1029 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1091 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1043 (msg:"IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags:S;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0736 - IIS-showcode";flags:PA; content:"/selector/showcode.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-getdrvs.exe";flags:PA; content:"scripts/tools/getdrvs.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-isc$data";flags:PA; content:".idc|3a3a|$data"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-srchadm";flags:PA; content:"srchadm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-srch.htm";flags:PA; content:"samples/isapi/srch.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 - IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 162 - IIS-search97";flags:PA; content:"search97.vts";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-scripts-browse";flags:PA; content:"scripts/|20|"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-SAM Attempt";flags:PA; content:"sam._"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse20";flags:PA; content:"%20.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse0a";flags:PA; content:"%0a.pl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-perl";flags:PA; content:"scripts/perl?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-Overflow-htr";flags:PA; content:"BBBB.htrHTTP"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IIS-MSProxy";flags:PA; content:"scripts/proxy/w3proxy.dll"; nocase;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1038 (msg:"IIS - Possible Attempt at NT TCPSVCS.EXE 100% CPU Utilization"; flags:S;) # ------------------------- # WEB-MISC # ------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS474 - WEB-MISC Webdav search"; flags: PA; content: "SEARCH "; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Lotus Domino 5 - reading file outside the web root exploit"; content:".nsf/"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"webhits.exe probe";flags:PA; content:"/scripts/samples/search/webhits.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"fpadmcgi.exe probe";flags:PA; content:"/scripts/fpadmcgi.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"postinfo.asp probe";flags:PA; content:"/scripts/postinfo.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"repost.asp probe";flags:PA; content:"/scripts/repost.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"queryhit.htm probe";flags:PA; content:"/samples/search/queryhit.htm"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS475 - WEB-MISC Webdav propfind"; flags: PA; content: "PROPFIND "; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"Attempt at Unify eWave Upload"; content:"com.unify.servletexec.UploadServlet"; nocase;) alert tcp any any -> any 80 (msg: "IDS431 - WEB-MISC - PHP strings exploit atstake"; flags: AP; content: "|ba49feffff f7d2 b9bfffffff f7d1|";) alert tcp any any -> any 80 (msg: "IDS430 - WEB-MISC - PHP strings exploit portal tf8"; flags: AP; content: "?STRENGUR ";) alert tcp any any -> any 80 (msg:"WEB-MISC - BUGTRAQ ID 1777 - Hassan Consulting's Shopping Cart Directory Traversal"; flags:PA; content:"shop.cgi"; content:"page=../";) alert tcp any any -> any any (msg:"WEB-MISC - 403 Forbidden";flags:PA; content:"HTTP/1.1 403";) alert tcp any any -> any 80 (msg:"WEB-MISC - WebStore Directory Traversal"; content:"web_store.cgi?page=../..";) alert tcp any any -> any 80 (msg:"WEB-MISC - BUGTRAQ ID 1762 - Moreover CGI Shopping Cart Directory Traversal"; flags:PA; content:"cached_feed.cgi"; content:"../";) alert tcp any any -> any 80 (msg:"WEB-MISC - Alaire Pro Web Shell Exploit"; flags:PA; content:"authenticate.cgi?PASSWORD"; content:"config.ini";) alert tcp any any -> any 80 (msg:"WEB-MISC - BUGTRAQ ID 1774 - eXtropia WebStore Directory Traversal Vulnerability"; flags:PA; content:"web_store.cgi"; content:"page=../";) alert tcp any 80 -> any any (msg:"WEB-MISC - Invalid URL"; content:"Invalid URL"; nocase;) alert tcp any any -> any 80 (msg:"WEB-MISC - Armada Style Master Index Directory Traversal"; flags:PA; content:"search.cgi?keys"; content:"catigory=../";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Talentsoft Web+ File Disclosure Vulnerability";flags:PA; content:"webplus.cgi?Script=/webplus/webping/webping.wml";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1725 - WEB-MISC - Talentsoft Web+ exploit attempt"; flags:PA; content:"webplus.cgi?Script=/webplus/webping/webping.wml";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1734 - WEB-MISC - SmartWin CyberOffice Shopping Cart 2.0 Information Disclosure Vulnerability";flags:PA; content:"_private/shopping_cart.mdb";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1720 - WEB-MISC - Talentsoft Web+ Internal IP Address Disclosure Vulnerability";flags:PA; content:"webplus.exe?about";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1722 - WEB-MISC - Talentsoft Web+ Source Code Disclosure Vulnerability";flags:PA; content:"webplus.exe?script=test.wml";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1532 - WEB-MISC - TOMCAT Server Snoop file access"; flags:PA; content:"jsp/snp/anything.snp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1579 - WEB-MISC - Attempt to pull Netscape Admin Password from Server"; flags:PA; content:"admin-serv/config/admpw"; nocase;) alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"CAN-2000-0483 - MISC - WebsitePro 2.5 and under have known exploits - upgrade"; content:"WebSitePro2."; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC - TOMCAT Server Exploit Attempt"; flags:PA; content:"contextAdmin/contextAdmin.html"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1457 - CVE-2000-0628 - WEB-MISC - Apache source.asp file access"; flags:PA; content:"/site/eg/source.asp"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS298 - WEB MISC - http-directory-traversal 2"; flags:PA; content: "..\\";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1510 - CVE-2000-0671 - WEB-MISC - ROXEN Directory list attempt"; flags:PA; content:"|2F 25 30 30 2F|"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS297 - WEB MISC - http-directory-traversal 1"; flags:PA; content: "../";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-prefix-get //";flags:PA; content:"get //"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-/....";flags:PA; content:"|2f2e2e2e2e|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0474 - WEB-ICQ webserver";flags:PA; content:".html/......"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-DelDoc";flags:PA; content:"?DeleteDocument"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-EditDoc";flags:PA; content:"?EditDocument"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-ls%20-l";flags:PA; content:"ls%20-l"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 713 - CVE-1999-0346 - WEB-mlog";flags:PA; content:"mlog.phtml?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 713 - CVE-1999-0346 - WEB-mylog";flags:PA; content:"mylog.phtml?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-OReilly args.bat";flags:PA; content:"cgi-dos/args.bat"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0269 - WEB-PageService";flags:PA; content:"?PageServices"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-webcart";flags:PA; content:"/webcart/"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-AuthChangeUrl";flags:PA; content:"_AuthChangeUrl?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0175 - WEB-MISC-convert.bas Attempt";flags:PA; content:"scripts/convert.bas"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cpshost.dll Attempt";flags:PA; content:"scripts/cpshost.dll"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; content:"scripts/../../cmd.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-etc/passwd";flags:PA; content:"etc/passwd"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0178 - WEB-OReilly win-c-sample.exe";flags:PA; content:"cgi-shl/win-c-sample.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Domino-catalog.nsf";flags:PA; content:"catalog.nsf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-uncheckout"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-///cgi-bin";flags:PA; content:"///cgi-bin"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.htaccess";flags:PA; content:".htaccess"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-ApacheDOS";flags:PA; content:"|2f2f2f2f2f2f2f2f|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 374 - WEB-cat%20";flags:PA; content:"cat%20"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-cd..";flags:PA; content:"cd.."; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-~root";flags:PA; content:"~root"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0021 - WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"orders/import.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domcfg.nsf";flags:PA; content:"domcfg.nsf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domlog.nsf";flags:PA; content:"domlog.nsf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Domino-log.nsf";flags:PA; content:"log.nsf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Domino-names.nsf";flags:PA; content:"names.nsf"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-check.txt";flags:PA; content:"config/check.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-checks.txt";flags:PA; content:"orders/checks.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"config/import.txt"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-cgi-bin///";flags:PA; content:"cgi-bin///"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Webplus Access Detected"; content:"webplus?script"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-start-ver";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1052 - Sojourn File Access"; flags:PA; content:"/sojourn.cgi?cat="; content:"%00"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1031 - SGI InfoSearch fname Access"; flags:PA; content:"infosrch.cgi?"; content:"fname="; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-2000-0192 - BUGTRAQ ID 1036 - Caldera OpenLinux rpm_query Access"; flags:PA; content:"cgi-bin/rmp_query"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1089 - CAN-2000-0278 - MISC WEB - SalesLogix Eviewer Web Shutdown"; flags:PA; content:"/slxweb.dll/admin?command="; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1104 - MISC WEB - BizDB Script Exploit"; flags:PA; content:"bizdb1-search.cgi"; content:"mail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1057 - Trend Micro OfficeScan Access"; flags:PA; content:"officescan/cgi/jdkRqNotify.exe?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1073 - CAN-2000,0242 - WEB-MISC - windmail.exe Access Detected"; content:"windmail.exe?-n"; content:"mail"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-html-rend"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "IDS270 - WEB MISC - Netscape dir index wp"; flags:PA; content: "?wp-"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS272 - Piranha Passwd.php3"; flags:PA; content: "passwd.php3";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 879 - CAN-1999-1006 - WEB-MISC - Novell Groupwise gwweb.exe access"; flags:PA; content:"GWWEB.EXE?HELP="; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1153 - WEB-MISC - Cart 32 AdminPwd Access"; flags:PA; content:"c32web.exe/ChangeAdminPassword"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC - architext_query.pl attempt"; content:"/ews/architext_query.pl"; nocase; flags:PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0260 - WEB-MISC - /cgi-bin/jj attempt"; content:"cgi-bin/jj"; nocase; flags:PA; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-1999-0953 - WEB-MISC - wwwboard.pl attempt"; content:"cgi-bin/wwwboard.pl"; nocase; flags:PA; ) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"MISC WEB - Netscape PublishingXpert 2 Exploit"; flags:PA; content:"/PSUser/PSCOErrPage.htm?"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS265 - Web cgi cgitest"; content: "cgitest.exe|0d0a|user"; nocase; flags: AP; offset: 4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"IDS180 - WEB-netscape-overflow-unixware"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flags: PA;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS205 - WEB-MISC - Phorum Admin"; flags: PA; content:"admin.php3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS206 - WEB-MISC - Phorum Auth"; flags: AP; content:"PHP_AUTH_USER=boogieman"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS207 - WEB-MISC - Phorum Code"; flags: AP; content:"code.php3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS208 - WEB-MISC - Phorum Read"; flags: AP; content:"read.php3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS209 - WEB-MISC - Phorum Violation"; flags: AP; content:"violation.php3"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CVE-2000-0169 - BUGTRAQ ID 1053 - Oracle Web Listener Batch Access"; flags:PA; content:"ows-bin/&"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS258 - Web cgi get32.exe"; flags:PA; content: "get32.exe"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.wwwacl";flags:PA; content:"secure/wwwacl"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-cs-dump";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-info";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-usr-prop";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-diff";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-verify-link";nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"CAN-1999-0229 - IIS WEB-..\..";flags:PA; content:"|2e2e5c2e2e|";) alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-stop-ver"; nocase;) alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../";)