#--------------------------------------------- # http://www.snort.org Snort 1.6.3 Ruleset # Current Database Updated -- 12/04/2000 #Contact: Jim Forster - jforster@rapidnet.com #--------------------------------------------- preprocessor http_decode: 80 443 8080 preprocessor minfrag: 128 #preprocessor portscan: 12.23.34.45/32 3 5 /var/log/snort_portscan.log # ^^^^^^^^^^^ ^ ^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^ # | | | | #Your IP address or Network here+ | | | # | | | #Ammount of ports being connected-----+ | | # in this | | #Interval (in seconds)------------------+ | # | #Log file (path/name)----------------------------------+ #preprocessor portscan-ignorehosts: Hosts to ignore in portscan detection #--------------------------------------------- # CHANGE THE NEXT LINE TO REFLECT YOUR NETWORK # (Single system = your ip/32) var HOME_NET yournet/subnet #--------------------------------------------- # Ignore web traffic when visiting www.snort.org pass tcp 205.164.217.39 80 <> any any #--------------------------------------------- # BACKDOOR SIGNATURE BASED alert udp !$HOME_NET any -> $HOME_NET 31337 (msg: "IDS399 - BackOrifice1-info"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";) alert udp !$HOME_NET any -> $HOME_NET 31337 (msg: "IDS398 - BackOrifice1-dir"; content: "|ce63 d1d2 16e7 13cf 3ca5 a586|";) alert udp !$HOME_NET any -> $HOME_NET 31337 (msg: "IDS397 - BackOrifice1-scan"; content: "|ce63 d1d2 16e7 13cf 38a5 a586|";) alert tcp $HOME_NET 80 -> !$HOME_NET any (msg: "IDS400 - BackOrifice1-web"; flags: AP; content: "server|3a| BO|2f|";) alert tcp $HOME_NET 12346 -> !$HOME_NET any (msg: "IDS402 - Netbus-active-12346"; flags: AP; content: "NetBus";) alert tcp $HOME_NET 12345 -> !$HOME_NET any (msg: "IDS401 - Netbus-active-12345"; flags: AP; content: "NetBus";) alert tcp !$HOME_NET any -> $HOME_NET 12346 (msg: "IDS404 - BACKDOOR SIGNATURE - Netbus Getinfo 12346"; flags: AP; content: "GetInfo|0d|";) alert tcp !$HOME_NET any -> $HOME_NET 12345 (msg: "IDS403 - BACKDOOR SIGNATURE - Netbus Getinfo 12345"; flags: AP; content: "GetInfo|0d|";) alert udp !$HOME_NET 4120 -> $HOME_NET any (msg: "IDS405 - DeepThroat-ACTIVE"; content: "--Ahhhhhhhhhh";) alert tcp $HOME_NET 666 -> !$HOME_NET 1024: (msg: "IDS316 - BACKDOOR-ACTIVITY - SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me.";) alert tcp $HOME_NET 146 -> !$HOME_NET 1024: (msg: "IDS315 - BACKDOOR-ACTIVITY - Infector.1.x"; content: "WHATISIT";) alert tcp $HOME_NET 146 -> !$HOME_NET 1000:1300 (msg:"BACKDOOR SIGNATURE - Possible Infector 1.6 Server to Client Connection"; content:"|57 48 41 54 49 53 49 54|";) alert tcp !$HOME_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR SIGNATURE - Possible Infector 1.6 Client to Server Connection Request"; content:"|46 43 20|";) alert tcp $HOME_NET 6789 -> !$HOME_NET any (msg: "IDS312 - BACKDOOR SIGNATURE - Doly 2.0"; content: "|57 74 7a 75 70 20 55 73 65|"; flags: AP; depth: 32;) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Status Client Request"; content:"10";) alert udp !$HOME_NET 3345 -> $HOME_NET 3344 (msg:"IDS83 - BACKDOOR SIGNATURE - Matrix 2.0 Server ACK"; content:"logged in";) alert tcp $HOME_NET 5714 -> !$HOME_NET any (msg:"IDS36 - BACKDOOR SIGNATURE - WinCrash 1.0 Server Active" ; flags:SA; content:"|B4 B4|";) alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Wrong Password"; content:"Wrong Password";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp $HOME_NET 3150 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Wrong Password";: content:"Wrong Password";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info Client Request"; content:"13";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 RAS Passwords Client Request"; content:"17";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 System Info From Server"; content:"Comp Name";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Drive Info Client Request"; content:"130";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Drive Info From Server"; content:"C - ";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Status From Server"; content:"Host";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 E-Mail Info Client Request"; content:"12";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 FTP Status Client Request"; content:"09";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server FTP Port Change Client Request"; content:"21";) alert udp !$HOME_NET 3344 -> $HOME_NET 3345 (msg:"IDS83 - BACKDOOR SIGNATURE - Matrix 2.0 Client connect"; content:"activate";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Cached Passwords Client Request"; content:"16";) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enabled Sent from Server!"; flags:PA; content:"FTP server enabled";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Password Change Client Request"; content:"91";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Password Remove Client Request"; content:"92";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Rehash Client Request"; content:"911";) alert udp $HOME_NET 2140 -> !$HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to";) alert tcp $HOME_NET 23476 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - DonaldDick 1.53 Traffic"; flags:PA; content:"pINg";) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"IDS01 - BACKDOOR SIGNATURE - ADMw0rm-ftp-retrieval";flags:PA; content:"USERw0rm|0D0A|";) alert tcp !$HOME_NET !80 -> $HOME_NET 21554 (msg:"IDS98 - BACKDOOR SIGNATURE - GirlFriendaccess"; flags:PA; content:"Girl";) alert tcp $HOME_NET 30100 -> !$HOME_NET any (msg:"IDS76 - BACKDOOR SIGNATURE - NetSphere access"; flags: PA; content:"NetSphere";) alert tcp $HOME_NET 6969 -> !$HOME_NET any (msg:"IDS99 - BACKDOOR SIGNATURE - GateCrasheraccess"; flags:PA; content:"GateCrasher";) alert icmp !$HOME_NET any -> $HOME_NET 16660 (msg:"IDS179 - BACKDOOR SIGNATURE - Stacheldraht Client";) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - Possible PhaseZero Server Active on Network";content:"phAse";flags:PA;) alert udp $HOME_NET 2140 -> any 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";) alert udp any 60000 -> $HOME_NET 3150 (msg:"IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|";) alert udp any 3150 -> $HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network"; content:"|00 23|";) alert tcp $HOME_NET 5401:5402 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Connection"; flags:PA; content:"c|3A|\\";) alert udp any 2140 -> $HOME_NET 60000 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Active on Network";) alert tcp !$HOME_NET 5031 -> $HOME_NET !53:80 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Incoming Traffic"; flags:PA;) alert tcp $HOME_NET 31785 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - HackAttack 1.20 Connect"; flags:PA; content:"host";) alert tcp $HOME_NET 30100:30102 -> !$HOME_NET any (msg:"IDS76 - BACKDOOR SIGNATURE - NetSphere 1.31.337 Data"; flags:PA; content:"NetSphere";) alert tcp $HOME_NET !80 -> !$HOME_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 Login Detected!"; flags:PA; content:"connected. time/date";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide Window Client Request"; content:"26";) alert tcp any !80 -> !$HOME_NET any (msg:"IDS279 - BACKDOOR SIGNATURE - SubSeven 2.1 FTP Enable from Client"; flags:PA; content:"FTPenable!";) alert udp !$HOME_NET 60000 -> $HOME_NET 3150 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR";) alert tcp !$HOME_NET any -> $HOME_NET 666 (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Client FTP Open Request"; flags:PA; content:"FTPON";) alert tcp $HOME_NET 666 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE -- BackConstruction 2.1 Server FTP Open Reply"; flags:PA; content:"FTP Port open";) alert tcp $HOME_NET !53:80 -> !$HOME_NET 5032 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro Outbound Data"; flags:PA;) alert tcp $HOME_NET any -> !$HOME_NET 5032 (msg:"IDS79 - BACKDOOR SIGNATURE - NetMetro File List"; flags:PA; content:"|2D 2D|";) alert udp any 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE -- DeepThroat 3.1 Client Sending Data to Server on Network";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Enable Window Client Request"; content:"24";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Dialog Box Client Request"; content:"70";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Resolution Change Client Request"; content:"125";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 CD ROM Close Client Request"; content:"03";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Send to URL Client Request"; content:"12";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 FTP Server Port Client Request"; content:"21";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Process List Client request"; content:"64";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Close Port Scan Client Request"; content:"121";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Registry Add Client Request"; content:"89";) alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS202 - BACKDOOR SIGNATURE - Q ICMP"; itype: 0; dsize: >1;) alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS203 - BACKDOOR SIGNATURE - Q TCP"; flags:A; dsize: >1;) alert udp 255.255.255.0/24 any -> $HOME_NET any (msg:"IDS201 - BACKDOOR SIGNATURE - Q UDP"; dsize: >1;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS263 - Backdoor Signature - CDK"; content: "ypi0ca"; nocase; flags: AP; depth: 15;) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Monitor on/off Client Request"; content:"07";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Create Directory Client Request"; content:"39";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Visible Window List Client Request"; content:"37";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 All Window List Client Request"; content:"370";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Kill Window Client Request"; content:"38";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Disable Window Client Request"; content:"23";) alert tcp $HOME_NET 555 -> !$HOME_NET any (msg:"BACKDOOR SIGNATURE - PhaseZero Server Active on Network"; flags:PA; content:"phAse";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Change Window Title Client Request"; content:"60";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Window Client Request"; content:"25";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Send Text to Window Client Request"; content:"63";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Show Picture Client Request"; content:"22";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Change Wallpaper Client Request"; content:"20";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Delete File Client Request"; content:"41";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Play Sound Client Request"; content:"36";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Run Program Normal Client Request"; content:"14";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Get NET File Client Request"; content:"100";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"117";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Find File Client Request"; content:"118";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 HUP Modem Client Request"; content:"199";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 CD ROM Open Client Request"; content:"02";) alert udp !$HOME_NET 60000 -> $HOME_NET 2140 (msg:"IDS106 - BACKDOOR SIGNATURE - DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";) # BETA RULES 12-04-2000 alert tcp any any -> any 80 (msg:"BETA - Possible Netscape Servers Suite Multiple DoS Vulnerabilities"; flags:PA; content:"/dsgw/bin/search?context="; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "myromeo.exe"; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "myjuliet.chm"; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "ble bla"; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "I Love You";) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "Sorry... Hey you !";) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "Matrix has you...";) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming MyRomeo Worm"; content: "my picture from shake-beer";) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming pif Worm"; content: ".pif"; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming scr Worm"; content: ".scr"; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming shs Worm"; content: ".shs"; nocase;) alert tcp any any -> any 21 (msg:"BETA - Anon FTP"; content:"anonymous"; nocase;) alert tcp any 110 -> any any (msg:"BETA - LURHQ-01 - VIRUS - Possible Incoming QAZ Worm"; content: "|71 61 7a 77 73 78 2e 68 73 71|";) alert tcp any any -> any 139 (msg:"BETA - LURHQ-02 - VIRUS - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|";) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"BETA - VIRUS - Possible Incoming NAVIDAD Worm"; content: "NAVIDAD.EXE"; nocase;) alert tcp any any -> any any (msg:"BETA - Napster Upload Request"; flags: PA; content: "|00 5f02|"; offset: 1; depth: 3; ) alert tcp any 31790 -> any 31789 (msg:"IDS314 - trojan-probe-hack-a-tack"; content: "A"; depth: 1;) alert tcp any 16959 -> any any (msg:"BETA - SubSeven DEFCON8 2.1 Backdoor Access!"; content: "PWD"; content:"acidphreak"; nocase') alert tcp any any -> any 80 (msg:"BETA - POST and AUTHOR.dll"; flags: PA; content:"POST"; content:"author.dll"; nocase;) alert tcp any any -> any 25 (msg:"BETA Worm - Possible Outgoing Matrix Worm"; content: "Software provide by [MATRiX]"; nocase; ) alert tcp any 110 -> any any (msg:"BETA Worm - Possible incoming Matrix worm"; content: "Software provide by [MATRiX]"; nocase; ) alert tcp any any -> any 7597 (msg:"BETA - LURHQ-03 - BACKDOOR SIGNATURE - QAZ Worm Client Login Detected"; flags:PA; content:"|71 61 7a 77 73 78 2e 68 73 71|";) alert tcp any any -> any 80 (msg:"BETA - WEB Amazon 1-click cookie theft"; flags: PA; content:"ref%3Cscript%20language%3D%22Javascript"; nocase;) alert tcp any any -> any 80 (msg:"BETA - Unify eWave ServletExec DoS"; flags:PA; content:"servlet/ServletExec";) alert tcp any any -> any any (msg:"BETA - Napster Download Request"; flags: PA; content: "|00 cb00|"; offset: 1; depth: 3; ) # alert tcp any any -> any any (msg:"BETA - Napster Login"; flags: PA; content: "|00 0200|"; offset: 1; depth: 3; ) alert tcp any any -> any 80 (msg:"BETA - WEB - Allaire JRUN DoS attempt"; flags:PA; content:"servlet/......."; nocase;) alert tcp any any -> any 25 (msg:"BETA - Possible MS Exchange Server MIME DoS Vulnerability"; flags:PA; content:"|63 68 61 72 73 65 74 20 3D 20 22 22|";) alert tcp any any -> any 80 (msg:"BETA - Unify eWave ServletExec File Upload Vulnerability"; flags:PA; content:"/servlet"; content:"UploadServlet"; nocase;) alert tcp any 22 -> any any (msg:"BETA - Possible ssh-research-scanner"; flags: FPA; content:"/00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00/";) alert tcp any any -> any 80 (msg:"BETA - WEB-CGI-Anaconda-FD directory transversal vulnerability attempt"; flags:PA; content:"template=../"; nocase;) # DDoS alert icmp any any -> any any (msg: "IDS425 - Ttfn2k icmp possible communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS187 - DDoS - Trin00:DaemontoMaster(PONGdetected)"; content:"PONG";) alert icmp 3.3.3.3/32 any -> !$HOME_NET any (msg:"IDS193 - DDoS - Stacheldraht server-spoof"; itype: 0; icmp_id: 666;) alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS195 - DDoS - Stacheldraht server-response-gag"; content: "|73 69 63 6B 65 6E|"; itype: 0; icmp_id: 669;) alert icmp $HOME_NET any -> !$HOME_NET any (msg:"IDS191 - DDoS - Stacheldraht server-response"; content: "|66 69 63 6B 65 6E|"; itype: 0; icmp_id: 667;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS192 - DDoS - Stacheldraht client-spoofworks"; content: "|73 70 6F 6F 66 77 6F 72 6B 73|"; itype: 0; icmp_id: 1000;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS184 - DDoS - TFN client command BE"; itype: 0; icmp_id: 456; icmp_seq: 0;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS190 - DDoS - Stacheldraht client-check"; content: "|73 6B 69 6C 6C 7A|"; itype: 0; icmp_id: 666;) alert tcp !$HOME_NET any -> $HOME_NET 20432 (msg:"IDS254 - DDoS shaft client to handler"; flags: AP;) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS186 - DDoS - Trin00:DaemontoMaster(messagedetected)"; content:"l44";) alert udp !$HOME_NET any -> $HOME_NET 31335 (msg:"IDS185 - DDoS - Trin00:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"IDS196 - DDoS - Trin00:Attacker to Master default startup pass detected!";flags:PA; content:"betaalmostdone";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master defaultr.i.passdetected!";flags:PA; content:"gOrave";) alert tcp !$HOME_NET any -> $HOME_NET 27665 (msg:"DDoS - Trin00 Attacker to Master-default mdie pass detected!";flags:PA; content:"killme";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS194 - DDoS - Stacheldraht client-check-gag"; content: "|67 65 73 75 6E 64 68 65 69 74 21|"; itype: 0; icmp_id: 668;) alert udp !$HOME_NET any -> $HOME_NET 27444 (msg:"IDS197 - DDoS - Trin00:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl";) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS182 - DDoS - TFN server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0;) alert udp !$HOME_NET any -> $HOME_NET 18753 (msg:"IDS255 - DDoS shaft handler to agent"; content: "alive tijgu";) alert udp !$HOME_NET any -> $HOME_NET 20433 (msg:"IDS256 - DDoS shaft agent to handler"; content: "alive";) alert tcp $HOME_NET :1024 -> !$HOME_NET any (msg:"IDS253 - DDoS shaft synflood outgoing"; flags: S; seq: 674711609;) alert tcp !$HOME_NET :1024 -> $HOME_NET any (msg:"IDS252 - DDoS shaft synflood incoming"; flags: S; seq: 674711609;) alert udp any any -> any 6838 (msg: "DDoS - mstream agent to handler"; content: "newserver"; ) alert udp any any -> any 10498 (msg: "DDoS - mstream handler to agent"; content: "stream/"; ) alert udp any any -> any 10498 (msg: "DDoS - mstream handler ping to agent" ; content: "ping";) alert udp any any -> any 10498 (msg: "DDoS - mstream agent pong to handler" ; content: "pong";) alert tcp any any -> any 12754 (msg: "DDoS - mstream client to handler"; content: ">"; flags: AP;) alert tcp any 12754 -> any any (msg: "DDoS - mstream handler to client"; content: ">"; flags: AP;) alert tcp any any -> any 15104 (msg: "IDS111 - DDoS - mstream client to handler"; flags: S;) alert tcp any 15104 -> any any (msg: "DDoS - mstream handler to client"; content: ">"; flags: AP;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS183 - DDoS - TFN client command LE"; itype: 0; icmp_id: 51201; icmp_seq: 0;) # HIGH FALSES alert tcp !$HOME_NET any -> $HOME_NET 515 (msg:"OVERFLOW - Possible attempt at MS Print Services";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"High False Rule - WEB-CGI-query";flags:PA; content:"cgi-bin/query"; nocase) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"High False Rule - IDS171 Ping All Zeros"; content: "|00000000000000000000000000000000|"; itype: 8; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS259 - Alibaba 2.0 Buffer Overflow";dsize:>1449; content:"POST";) alert tcp any 5050 <> $HOME_NET any (msg:"INFO - YAHOO Pager Data Logged"; flags: PA;) alert tcp any 5190 <> $HOME_NET any (msg:"INFO - AOL Chat Data Logged";) alert tcp $HOME_NET any -> !$HOME_NET 5050 (msg:"INFO - YAHOO Pager Active on Network"; flags:A;) alert tcp $HOME_NET any -> !$HOME_NET 5190 (msg:"INFO - AOL Chat Active on Network"; flags:A;) alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Password";flags:PA; content:"PASS"; logto:"MAIL";) alert tcp !$HOME_NET any <> $HOME_NET 110 (msg:"Mail Login";flags:PA; content:"USER"; logto:"MAIL";) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"High False Rule - SNMP access, public"; content:"public";) alert udp !$HOME_NET any -> $HOME_NET 137 (msg:"High False Rule - IDS177 NETBIOS-SMB-Name-Query"; content:"CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|0000|";) alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"INFO - FTP-Password";flags:PA; content:"PASS"; logto:"FTP";) alert tcp !$HOME_NET any <> $HOME_NET 21 (msg:"INFO - FTP-Login";flags:PA; content:"USER"; logto:"FTP";) # FINGER alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS375 - FINGER-Search";flags:PA; content:"search";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS376 - FINGER-root";flags:PA; content:"root";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS377 - FINGER-ProbeNull"; flags:PA; content:"|00|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS378 - FINGER-Probe0";flags:PA; content:"0";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS379 - FINGER-PipeW";flags:PA; content:"/W|3b|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS380 - FINGER-Pipe"; flags:PA; content:"|7c|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS381 - FINGER-Bomb";flags:PA; content:"@@";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS11 - Finger cybercop redirection"; flags:PA; content: "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"; dsize: 11; depth: 11;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS251 - Finger redirection"; content: "@"; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS131 - CVE-1999-0612 - FINGER-0@host";flags:PA; content:"|300A|";) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS130 - CVE-1999-0612 - FINGER-.@host";flags:PA; content:"|2E0A|";) # FTP alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS322/FTP-nopassword"; content: "pass |0d|"; nocase; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS317/FTP-site-exec"; content: "site exec"; nocase; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS318/FTP-cwd~root"; content: "cwd ~root"; nocase; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS319/FTP-forward"; content: ".forward"; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS324/FTP-pass-wh00t"; content: "pass wh00t"; nocase; flags: AP;) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"IDS364 - FTP-bad-login";flags:PA; content:"530 Login incorrect";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS287 - FTP - Wuftp260 venglin linux"; content: "|31c031db 31c9b046 cd80 31c031db|"; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FTP - Possible Attempt at ftp.pl Exploit"; flags:PA; content:"ftp/ftp.pl?"; nocase;) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP - Exploitable proftpd 1.2 server running"; content:"proftpd 1.2"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS287 - FTP wuftp260 Venglin Linux"; content: "|31c031db 31c9b046 cd80 31c031db|"; flags: PA; depth: 32;) alert tcp $HOME_NET 21 -> !$HOME_NET any (msg:"FTP-NT-bad-login"; content:"Login failed.";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS134 - CVE-1999-0202 - FTP tar parameters";flags:PA; content:"RETR--use-compress-program";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS137 - CVE-1999-0183 - TFTP parent directory"; content:"..";) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS138 - CVE-1999-0183 - TFTP rootdirectory"; content:"|0001|/";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS328 - FTP-rhosts";flags:PA; content:".rhosts";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS213 - FTP-Password Retrieval"; content:"passwd"; flags: AP;) alert udp !$HOME_NET any -> $HOME_NET 69 (msg:"IDS148 - CVE-1999-0183 - TFTP Write"; content:"|00 02|"; depth:2; ) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS257 - Aix FTP Buffer Overflow";flags:PA;dsize:>1300; content:"CEL ";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS286 - FTP wuftp260 Siteexec"; content: "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"; flags: PA; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS288 - FTP wuftp260 Venglin BSD"; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; flags: PA; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg: "IDS285 - FTP wuftp260 Siteexec"; content: "SITE EXEC %p"; nocase; flags: PA; depth: 16;) # MISC alert TCP any any -> any 111 (msg:"IDS428 - Portmap listing 111"; flags: PA; rpc: 100000,*,*; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS156 - INFO - Ping from Flowpoint2200 or Network Management Software"; content: "|0102 0304 0506 0708 090A 0B0C 0D0E 0F10|"; depth: 32; itype: 8; ) alert TCP !$HOME_NET any -> $HOME_NET 70 (msg:"IDS409 - gopher-proxy"; flags: PA; content: "ftp|3A|"; nocase; depth: 4; content: "@/"; ) alert TCP any any -> any 32771 (msg:"IDS429 - Portmap listing 32771"; flags: PA; rpc: 100000,*,*; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS247 - MISC - Large UDP Packet"; dsize: >4000; ) alert TCP !$HOME_NET any -> $HOME_NET 6000 (msg:"IDS395 - MISC - X-xopen"; flags: PA; content: "|6C00 0B00 0000 0000 0000 0000|"; ) alert TCP any any -> any 80 (msg:"MISC - ICQ Webfront HTTP DoS"; flags: PA; content: "??????????"; ) alert TCP any any -> any any (msg:"MISC - MISC - id check returned root"; content: "uid=0(root)"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS422 - SourceRoute-UDP-ssrr"; ipopts: ssrr; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS420 - SourceRoute-UDP-lssre"; ipopts: lsrr; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS117 - MISC-SourceRoute-ICMP-lssre"; ipopts: lsrr; ) alert TCP !$HOME_NET any -> $HOME_NET 6000 (msg:"IDS396 - X-MITcookie"; flags: PA; content: "MIT-MAGIC-COOKIE-1"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"IDS212 - MISC - DNS Zone Transfer"; flags: PA; content: "|FC|"; offset: 13; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS362 - MISC - Shellcode X86 NOPS-UDP"; content: "|9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090|"; ) alert TCP $HOME_NET any -> !$HOME_NET any (msg:"Outbound GNUTella Connect request"; content: "GNUTELLA CONNECT"; nocase; depth: 40; ) alert TCP $HOME_NET any -> !$HOME_NET any (msg:"Inbound GNUTella Connect accept"; content: "GNUTELLA OK"; nocase; depth: 40; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"Inbound GNUTella Connect request"; content: "GNUTELLA CONNECT"; nocase; depth: 40; ) alert TCP any any -> any 25 (msg:"INFO - BattleMail Traffic"; logto:"Battlemail"; content: "BattleMail"; session: printable; ) alert TCP any any -> any 110 (msg:"INFO - BattleMail Traffic"; logto:"Battlemail"; content: "BattleMail"; session: printable; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"Outbound GNUTella Connect accept"; content: "GNUTELLA OK"; nocase; depth: 40; ) alert TCP !$HOME_NET any -> $HOME_NET 9001 (msg:"IDS302 - MISC - HP Printer display hack"; flags: PA; content: "@PJL RDYMSG DISPLAY = "; depth: 32; ) alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"MISC - Possible attempt at BigBrother 1.4 or older Exploit"; flags: PA; content: "bb-hostsvc.sh?HOSTSVC"; nocase; ) alert TCP any 5631 -> any any (msg:"MISC - Invalid PCAnywhere Login"; content: "Invalid login"; offset: 5; depth: 13; ) alert TCP !$HOME_NET any -> $HOME_NET 7070 (msg:"MISC - Possible attempt at Real Server template.html DoS"; flags: PA; content: "/viewsource/template.html?"; nocase; ) alert TCP !$HOME_NET any -> $HOME_NET 8080 (msg:"MISC - Possible attempt at Real Server template.html DoS"; flags: PA; content: "/viewsource/template.html?"; nocase; ) alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"IDS300 - MISC - PCCS Mysql Database Admin Tool"; flags: PA; content: "pccsmysqladm/incs/dbconnect.inc"; nocase; depth: 36; ) alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"MISC - Possible attempt at Poll-it Version 2 Exploit"; flags: PA; content: "pollit/Poll_It_SSI_v2.0.cgi?"; nocase; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS291 - MISC - Shellcode x86 stealth NOP"; content: "|EB02 EB02 EB02|"; ) alert TCP !$HOME_NET 53 -> $HOME_NET :1023 (msg:"IDS7 - MISC-Source Port Traffic 53 TCP"; flags: S; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS118 - MISC-Traceroute ICMP"; ttl: 1; itype: 8; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS3 - MISC-Traceroute TCP"; ttl: 1; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS3 - MISC-Traceroute UDP"; ttl: 1; ) alert TCP !$HOME_NET any -> $HOME_NET 5631 (msg:"MISC-PCAnywhere Attempted Administrator Login"; flags: PA; content: "ADMINISTRATOR"; ) alert TCP !$HOME_NET 20 -> $HOME_NET :1023 (msg:"IDS6 - MISC-Source Port Traffic 20 TCP"; flags: S; ) alert UDP !$HOME_NET 53 -> $HOME_NET :52 (msg:"MISC-Source Port Traffic 0-52"; ) alert UDP !$HOME_NET 53 -> $HOME_NET 138:1023 (msg:"MISC-Source Port Traffic 138-1023"; ) alert TCP !$HOME_NET any -> $HOME_NET 32771 (msg:"MISC-Attempted Sun RPC high port access"; ) alert TCP !$HOME_NET any -> $HOME_NET 1417 (msg:"IDS229 - Insecure TIMBUKTU Password"; flags: PA; content: "|0500 3E|"; depth: 16; ) alert TCP $HOME_NET 5632 -> !$HOME_NET any (msg:"IDS240 - MISC-PCAnywhere Failed Login"; flags: PA; content: "Invalid login"; depth: 16; ) alert UDP !$HOME_NET 53 -> $HOME_NET 54:136 (msg:"MISC-Source Port Traffic 54-136"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS421 - SourceRoute-TCP-lssre"; ipopts: lsrr; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS174 - MISC-IRDP-Router-Selection(l0phtattack)"; itype: 10; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS173 - MISC-IRDPRouterAdvertisement"; itype: 9; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS199 - CVE-1999-0265 - MISC-ICMPRedirectNet"; itype: 5; icode: 0; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS135 - CVE-1999-0265 - MISC-ICMPRedirectHost"; itype: 5; icode: 1; ) alert ICMP !$HOME_NET any -> !$HOME_NET any (msg:"IDS238 - Traceroute IPOPTS"; itype: 0; ipopts: rr; ) alert TCP !$HOME_NET 6000:6005 -> $HOME_NET any (msg:"IDS126 - Outgoing Xterm"; flags: SA; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"MISC-Passwd-Attempt"; flags: PA; content: "passwd"; ) alert UDP !$HOME_NET any -> $HOME_NET !520 (msg:"IDS115 - MISC-Traceroute-UDP"; ttl: 1; ) alert UDP !$HOME_NET any -> $HOME_NET 5632 (msg:"IDS239 - MISC-PCAnywhere Startup"; content: "ST"; depth: 2; ) alert TCP !$HOME_NET !53 -> $HOME_NET 8080 (msg:"MISC-WinGate-8080-Attempt"; flags: S; ) alert TCP !$HOME_NET any -> $HOME_NET 617 (msg:"IDS261 - MISC DoS arkiea backup"; flags: PA; dsize: >1445; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"IDS147 - CVE-1999-004 - IMAP-x86-linux-buffer-overflow"; flags: PA; content: "|E8C0 FFFF FF|/bin/sh"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS181 - MISC - Shellcode X86 NOPS"; flags: PA; content: "|9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS284 - MISC - Shellcode X86 Setgid0"; flags: PA; content: "|B0B5 CD80|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS283 - MISC - Shellcode X86 Setuid0"; flags: PA; content: "|B017 CD80|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS282 - MISC - Shellcode SPARC Setuid0"; flags: PA; content: "|8210 2017 91D0 2008|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"VNC Active on Network"; flags: PA; content: "RFB 003.003"; ) alert TCP any any <> any 6699 (msg:"Napster Client Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 8888 (msg:"Napster 8888 Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 7777 (msg:"Napster 7777 Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 6666 (msg:"Napster 6666 Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 5555 (msg:"Napster 5555 Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 4444 (msg:"Napster 4444 Data"; flags: PA; content: ".mp3"; nocase; ) alert TCP any any <> any 8875 (msg:"Napster Server Login"; flags: PA; content: "anon@napster.com"; ) alert TCP !$HOME_NET any -> $HOME_NET 9090 (msg:"MISC - Attempt at VQServer Admin"; flags: PA; content: "GET / HTTP/1.1"; nocase; ) alert TCP $HOME_NET 7161 -> !$HOME_NET any (msg:"IDS129 - CVE-1999-0430 - Cisco Catalyst Remote Access"; flags: SA; ) alert TCP !$HOME_NET !53 -> $HOME_NET 1080 (msg:"MISC-WinGate-1080-Attempt"; flags: S; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS423 - SourceRoute-TCP-ssrr"; ipopts: ssrr; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS424 - Source routed packet"; ipopts: ssrr; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS264 MISC DoS ath0"; content: "+++ath0"; nocase; itype: 8; ) alert TCP !$HOME_NET any -> $HOME_NET 8080 (msg:"IDS267 - Delegate proxy overflow"; flags: PA; content: "whois|3A|//"; nocase; dsize: >1000; ) alert UDP !$HOME_NET any -> $HOME_NET 9 (msg:"IDS262 - CVE-1999-0060 - Ascend Router DoS"; content: "|4E41 4D45 4E41 4D45|"; offset: 25; depth: 50; ) alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"IDS260 - MISC Annex Terminal DOS"; flags: PA; content: "ping?query"; dsize: >1446; ) alert TCP !$HOME_NET any -> $HOME_NET 139 (msg:"IDS204 - NT NULL session"; flags: PA; content: "|0000 0000 5700 6900 6E00 6400 6F00 7700 7300 2000 4E00 5400 2000 3100 3300 3800 31|"; ) alert ICMP !$HOME_NET any -> $HOME_NET any (msg:"IDS246 - MISC - Large ICMP Packet"; dsize: >800; ) alert UDP !$HOME_NET any -> $HOME_NET 161 (msg:"BUGTRAQ ID 1009 - Possible attempt at Bay/Nortel Nautica Marlin DoS"; dsize: 0; ) # NETBIOS alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"Possible RFParalyze Attempt"; flags:PA; content:"BEAVIS"; content:"yep yep";) alert udp !$HOME_NET any -> $HOME_NET 161 (msg:"NETBIOS-SNMP-NT-UserList"; content:"|2b 06 10 40 14 d1 02 19|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS334 - NETBIOS-SMB-IPC$access";flags:PA; content:"|5c00|I|00|P|00|C|00|$|000000|IPC|00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS335 - NETBIOS-SMB-IPC$access";flags:PA; content:"\\IPC$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS336 - NETBIOS-SMB-D$access";flags:PA; content:"\\D$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS337 - NETBIOS-SMB-CD...";flags:PA; content:"\\...|00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS338 - NETBIOS-SMB-CD..";flags:PA; content:"\\..|2f 00 00 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS339 - NETBIOS-SMB-C$access";flags:PA; content:"\\C$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS340 - NETBIOS-SMB-ADMIN$access";flags:PA; content:"\\ADMIN$|00 41 3a 00|";) alert tcp !$HOME_NET any -> $HOME_NET 139 (msg:"IDS341 - NETBIOS-Samba-clientaccess";flags:PA; content:"|00|Unix|00|Samba";) # OVERFLOWS alert TCP !$HOME_NET any -> $HOME_NET 7070 (msg:"IDS411 - Realaudio-DoS"; flags: PA; content: "|FFF4 FFFD 06|"; ) alert TCP !$HOME_NET any -> $HOME_NET 8080 (msg:"IDS414 - Delegate Proxy Overflow PSH"; flags: PA; content: "whois|3A|//"; nocase; dsize: >1000; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS359 - OVERFLOW-NOOP-HP-TCP2"; flags: PA; content: "|0B39 0280 0B39 0280 0B39 0280 0B39 0280|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS345 - OVERFLOW-NOOP-Sparc-TCP"; flags: PA; content: "|13C0 1CA6 13C0 1CA6 13C0 1CA6 13C0 1CA6|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP-Sparc-UDP2"; content: "|A61C C013 A61C C013 A61C C013 A61C C013|"; ) alert UDP !$HOME_NET any -> $HOME_NET 518 (msg:"OVERFLOW-x86-linux-ntalkd"; content: "|0103 0000 0000 0001 0002 02E8|"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic1"; flags: PA; content: "|5057 440A 2F69|"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-generic2"; flags: PA; content: "|5858 5858 582F|"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-duke"; flags: PA; content: "|31C0 31DB B017 CD80 31C0 B017 CD80|"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-sekure"; flags: PA; content: "MKD AAAAAA"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-smiler"; flags: PA; content: "|31DB 89D8 B017 CD80 EB2C|"; ) alert TCP !$HOME_NET any -> $HOME_NET 21 (msg:"OVERFLOW-FTP-x86linux-wh0a"; flags: PA; content: "|83EC 045E 83C6 7083 C628 D5E0 C0|"; ) alert TCP !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-CSMMail"; flags: PA; content: "|EB53 EB20 5BFC 33C9 B182 8BF3 802B|"; ) alert TCP !$HOME_NET any -> $HOME_NET 2766 (msg:"OVERFLOW-x86-solaris-nlps"; flags: PA; content: "|EB23 5E33 C088 46FA 8946 F589 36|"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd4"; flags: PA; content: "|EB34 5E8D 1E89 5E0B 31D2 8956 07|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-sparc"; flags: PA; content: "|901A C00F 9002 2008 9202 200F D023 BFF8|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86freebsd-rotsb"; flags: PA; content: "|EB6E 5EC6 069A 31C9 894E 01C6 4605|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv2"; flags: PA; content: "|89F7 29C7 89F3 89F9 89F2 AC3C FE|"; ) alert TCP !$HOME_NET any -> $HOME_NET 25 (msg:"OVERFLOW-x86-windows-MailMax"; flags: PA; content: "|EB45 EB20 5BFC 33C9 B182 8BF3 802B|"; ) alert TCP !$HOME_NET any -> $HOME_NET 139 (msg:"OVERFLOW-x86-linux-samba"; flags: PA; content: "|EB2F 5FEB 4A5E 89FB 893E 89F2|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-IRC-client-Chocoa"; flags: PA; content: "|EB4B 5B53 32E4 83C3 0B4B 8823 B850 77|"; ) alert TCP !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux"; flags: PA; content: "|FFFF FF2F 4249 4E2F 5348 00|"; ) alert TCP !$HOME_NET any -> $HOME_NET 109 (msg:"OVERFLOW-POP2-x86linux2"; flags: PA; content: "|EB2C 5B89 D980 C106 39D9 7C07 8001|"; ) alert TCP !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd"; flags: PA; content: "|685D 5EFF D5FF D4FF F58B F590 6631|"; ) alert TCP !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86bsd2"; flags: PA; content: "|5E0E 31C0 B03B 8D7E 0E89 FA89 F9|"; ) alert TCP !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86linux"; flags: PA; content: "|D840 CD80 E8D9 FFFF FF|/bin/sh"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd6"; flags: PA; content: "|EB38 5E89 F389 D880 4601 2080 4602|"; ) alert TCP !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-QPOP"; flags: PA; content: "|E8D9 FFFF FF|/bin/sh"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-86-linux-imap1"; flags: PA; content: "|E8C0 FFFF FF|/bin/sh"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd2"; flags: PA; content: "|89D8 40CD 80E8 C8FF FFFF|/"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd3"; flags: PA; content: "|EB58 5E31 DB83 C308 83C3 0288 5E26|"; ) alert UDP !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd"; content: "|EB56 5E56 5656 31D2 8856 0B88 561E|"; ) alert TCP !$HOME_NET any -> $HOME_NET 143 (msg:"OVERFLOW-x86-linux-imapd5"; flags: PA; content: "|EB35 5E80 4601 3080 4602 3080 4603 30|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-ADMv3"; flags: PA; content: "|31C0 B002 CD80 85C0 754C EB4C 5EB0|"; ) alert TCP !$HOME_NET any -> $HOME_NET 110 (msg:"OVERFLOW-POP3-x86sco"; flags: PA; content: "|560E 31C0 B03B 8D7E 1289 F989 F9|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"; flags: PA; content: "../../../../../../../../../"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-rotsb"; flags: PA; content: "|31C0 B03F 31DB B3FF 31C9 CD80 31C0|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS344 - OVERFLOW-NOOP-Solaris-UDP"; content: "|801C 4011 801C 4011 801C 4011 801C 4011|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS353 - OVERFLOW-NOOP-Solaris-TCP"; content: "|801C 4011 801C 4011 801C 4011 801C 4011|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-Sparc-UDP"; content: "|13C0 1CA6 13C0 1CA6 13C0 1CA6 13C0 1CA6|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS355 - OVERFLOW-NOOP-Sparc-TCP2"; content: "|A61C C013 A61C C013 A61C C013 A61C C013|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS181 - OVERFLOW-NOOP-X86"; content: "|9090 9090 9090 9090 9090 9090 9090 9090|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS357 - OVERFLOW-NOOP-SGI-UDP"; content: "|240F 1234 240F 1234 240F 1234 240F 1234|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"; flags: PA; content: "thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS356 - OVERFLOW-NOOP-SGI-TCP"; flags: PA; content: "|03E0 F825 03E0 F825 03E0 F825 03E0 F825|"; ) alert TCP !$HOME_NET 80 -> $HOME_NET any (msg:"IDS215 - OVERFLOW - Client - netscape47-retrieved"; flags: PA; content: "|33C9 B110 3FE9 0651 3CFA 4733 C050 F7D0 50|"; ) alert TCP $HOME_NET any -> !$HOME_NET 80 (msg:"IDS214 - OVERFLOW - Client - netscape47-unsucessful"; flags: PA; content: "|33C9 B110 3FE9 0651 3CFA 4733 C050 F7D0 50|"; ) alert TCP !$HOME_NET any -> $HOME_NET 25 (msg:"IDS273 - Sniffit overflow"; flags: PA; content: "from|3A90 9090 9090 9090 9090 9090|"; nocase; dsize: >512; ) alert TCP !$HOME_NET any -> $HOME_NET 80 (msg:"IDS275 - Cisco Web Crash"; flags: PA; content: "|202F 2525|"; depth: 16; ) alert TCP !$HOME_NET any -> $HOME_NET 119 (msg:"IDS274 - NNTP Cassandra Overflow"; flags: PA; content: "AUTHINFO USER"; nocase; depth: 16; dsize: >512; ) alert TCP !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - RPC ttdbserv Solaris Overflow"; flags: PA; content: "|C022 3FFC A202 2009 C02C 7FFF E222 3FF4|"; dsize: >999; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-Named-ADM-NXT - 8.2->8.2.1"; flags: PA; content: "ADMROCKS"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; content: "|4FFF FB82 4FFF FB82 4FFF FB82 4FFF FB82|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NextFTP-client"; flags: PA; content: "|B420 B421 8BCC 83E9 048B 1933 C966 B910|"; ) alert TCP !$HOME_NET any -> $HOME_NET 53 (msg:"OVERFLOW-DNS-x86linux-generic"; flags: PA; content: "|CD80 E8D7 FFFF FF|/bin/sh"; ) alert UDP !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd2"; content: "|5EB0 0289 06FE C889 4604 B006 8946|"; ) alert UDP !$HOME_NET any -> $HOME_NET 635 (msg:"OVERFLOW-x86-linux-mountd3"; content: "|EB40 5E31 C040 8946 0489 C340 8906|"; ) alert TCP !$HOME_NET any -> $HOME_NET 6373 (msg:"OVERFLOW-sco-calserver"; flags: PA; content: "|EB7F 5D55 FE4D 98FE 4D9B|"; ) alert UDP !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP-x86bsd"; content: "|6563 686F 206E 6574 726A 7320 7374 7265|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-SGI"; flags: PA; content: "|240F 1234 240F 1234 240F 1234 240F 1234|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS343 - OVERFLOW-LinuxCommonUDP"; content: "|9090 90E8 C0FF FFFF|/bin/sh"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"OVERFLOW-NOOP-AIX"; flags: PA; content: "|4FFF FB82 4FFF FB82 4FFF FB82 4FFF FB82|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS352 - OVERFLOW-NOOP-Digital-UDP"; content: "|47FF 041F 47FF 041F 47FF 041F 47FF 041F|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS361 - OVERFLOW-NOOP-Digital-TCP"; flags: PA; content: "|47FF 041F 47FF 041F 47FF 041F 47FF 041F|"; ) alert TCP !$HOME_NET any -> $HOME_NET any (msg:"IDS358 - OVERFLOW-NOOP-HP-TCP"; content: "|0821 0280 0821 0280 0821 0280 0821 0280|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS349 - OVERFLOW-NOOP-HP-UDP"; content: "|0821 0280 0821 0280 0821 0280 0821 0028 0|"; ) alert UDP !$HOME_NET any -> $HOME_NET any (msg:"IDS350 - OVERFLOW-NOOP-HP-UDP2"; content: "|0B39 0280 0B39 0280 0B39 0280 0B39 0280|"; ) alert UDP !$HOME_NET any -> $HOME_NET 67 (msg:"OVERFLOW-BOOTP--x86linux"; content: "|4139 30C0 A801 012F 6269 6E2F 7368 00|"; ) # PING alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS167 - PING TJPingPro1.1Build 2 Windows"; content:"|544a 5069 6e67 5072 6f20 6279 204a 696d|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS152 - PING BSD"; content: "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; itype: 8; depth: 32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS153 - PING Cisco Type.x"; content:"|abcdabcdabcdabcdabcdabcdabcdabcd|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS154 - PING CyberKit 2.2 Windows"; content:"|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS155 - PING Delphi-Piette Windows"; content:"|50696e67696e672066726f6d2044656c|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS157 - PING IP NetMonitor Macintosh"; content:"|a9205375737461696e61626c6520536f|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS158 - PING ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS159 - PING Microsoft Windows"; content:"|6162636465666768696a6b6c6d6e6f70|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS161 - PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS162 - PING Nmap2.36BETA";itype:8;dsize:0;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"PING *NIX Type"; content:"|101112131415161718191a1b1c1d1e1f|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS163 - PING Pinger Windows"; content:"|44617461000000000000000000000000|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS151 - PING BeOS4.x"; content:"|00000000000000000000000008090a0b|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS166 - PING Seer Windows"; content:"|88042020202020202020202020202020|";itype:8;depth:32;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP Message"; itype:18;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS168 - PING WhatsupGold Windows"; content:"|5768 6174 7355 7020 2d20 4120 4e65 7477|";itype:8;depth:32;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS169 - PING Windows Type"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS28 - PING NMAP TCP";flags:A;ack:0;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP Destination Unreachable"; itype:3;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Source Quench"; itype:4;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"PING-ICMP Time Exceeded"; itype:11;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP Parameter Problem"; itype:12;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"IDS416 - ICMP Timestamp"; itype:13;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"IDS417 - ICMP Information Request"; itype:15;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"ICMP Information Reply"; itype:16;) alert icmp !$HOME_NET any <> $HOME_NET any (msg:"IDS216 - PING-ICMP Subnet Mask Request"; itype:17;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"IDS164 - PING Ping-O-MeterWindows"; content:"|4f4d 6574 6572 4f62 6573 6541 726d 6164|";itype:8;depth:32;) # RPC alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS25 - RPC - portmap-request-selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS19 - RPC - portmap-request-amountd"; content:"|01 87 03 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS16 - RPC - portmap-request-bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS17 - RPC - portmap-request-cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS13 - RPC - portmap-request-mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS21 - RPC - portmap-request-nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS22 - RPC - portmap-request-pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS23 - RPC - portmap-request-rexd";content:"|01 86 B1 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS10 - RPC - portmap-request-rstatd"; content:"|01 86 A1 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS18 - RPC - portmap-request-admind"; content:"|01 86 F7 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS20 - RPC - portmap-request-sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8;) alert tcp !$HOME_NET any -> $HOME_NET 111 (msg:"RPC Info Query"; content:"|00 01 86 A0 00 00 00 02 00 00 00 04|";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS15 - RPC - portmap-request-status"; content:"|01 86 B8 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS24 - RPC - portmap-request-ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS14 - RPC - portmap-request-yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS12 - RPC - portmap-request-ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS125 - RPC - portmap-request-ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8;) alert udp !$HOME_NET any -> $HOME_NET 32770: (msg:"IDS09 - RPC-rstatd-query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5;) alert tcp !$HOME_NET any -> $HOME_NET 634:1400 (msg:"IDS217 - RPC AMD Overflow"; flags:PA; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|";depth: 32; ) alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS241 - CVE-1999-0003 - RPC ttdbserv Solaris Kill"; flags: PA; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 32771:34000 (msg:"IDS242 - CVE-1999-0003 - RPC ttdbserv Solaris Overflow"; flags: PA; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";) alert udp !$HOME_NET any -> $HOME_NET 111 (msg:"IDS133 - RPC - portmap-request-rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8;) # SCAN alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS415 - WEB - Whisker Splicing Attack TAB"; dsize: <5; flags: AP; content: "|09|";) alert udp !$HOME_NET any -> $HOME_NET 49 (msg: "IDS408 - XTACACS-logout"; content: "|8007 0000 0700 0004 0000 0000 00|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS372 - SCAN-Cybercop-SMTPehlo";flags:PA; content:"ehlo cybercop|0a|quit|0a|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS374 - SCAN-Cybercop-WEB";flags:PA; content:"get /cybercop";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS371 - SCAN-Cybercop-SMTPexpn";flags:PA; content:"expn cybercop";) alert udp !$HOME_NET any -> $HOME_NET 7 (msg:"IDS363 - SCAN-Cybercop-UDP-bomb"; content:"cybercop";) alert udp !$HOME_NET any -> $HOME_NET any (msg: "IDS308 - SCAN - Webtrends Scanner UDP Probe"; content: "|0A 68 65 6C 70 0A 71 75 69 74 0A|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS310 - SCAN - L3retriever HTTP Probe"; content: "User-Agent|3a| Java1.2.1|0d0a|"; flags: AP;) alert icmp !$HOME_NET any -> $HOME_NET any (msg: "IDS311 - SCAN - L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS309 - SCAN - Webtrends HTTP Probe"; content: "User-Agent|3a| Webtrends Security Analyzer|0d0a|"; flags: AP;) alert icmp !$HOME_NET any -> $HOME_NET any (msg: "IDS307 - SCAN - Webtrends Scanner Ping"; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"; itype: 8; icode: 0;) alert tcp !$HOME_NET any -> $HOME_NET 113 (msg: "IDS303 - SCAN - ident Version Probe"; flags:PA; content: "VERSION|0A|"; depth: 16;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS301 - SCAN -Nessus 404 Check"; flags: PA; content: "GET /nessus_is_probing_you_"; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS296 - SCAN - Whisker Splicing Attack"; content: "|20|"; flags: AP; dsize: 1;) alert udp !$HOME_NET any -> $HOME_NET 53 (msg: "IDS278 - SCAN -named Version probe"; content: "|07|version|04|bind|00 0010 0003|"; nocase; offset: 12; depth: 32;) alert udp !$HOME_NET any -> $HOME_NET 10080:10081 (msg:"SCAN - Possible Amanda Client Version Query"; content:"Amanda"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS150 - SCAN-Cybercop OS Probe sfu12"; content: "AAAAAAAAAAAAAAAA"; flags: SFU12; ack: 0; depth: 16;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS198 - SCAN-SYN FIN";flags:SF;) alert icmp !$HOME_NET any -> $HOME_NET any (msg:"SCAN-ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: 32;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS149 - SCAN-Cybercop OS Probe pa12"; content: "AAAAAAAAAAAAAAAA"; flags: AP12; depth: 16;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS29 - SCAN-Possible Queso Fingerprint attempt";flags:S12;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS145 - SCAN-Cybercop-OS-Probe sfp"; content: "AAAAAAAAAAAAAAAA"; flags: SFP; ack: 0; depth: 16;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS27 - SCAN-FIN"; flags: F;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS146 - SCAN-Cybercop OS Probe sf12"; flags: SF12; dsize: 0;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS05 - SCAN-Possible NMAP Fingerprint attempt";flags:SFPU;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS04 - SCAN-NULL Scan";flags:0; seq:0; ack:0;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS144 - SCAN-FullXMASScan";flags:SRAFPU;) alert tcp !$HOME_NET any -> $HOME_NET 79 (msg:"IDS132 - CVE-1999-0612 - Cybercop Finger Query"; content: "|0A 20 20 20 20 20|"; flags: AP; depth: 10;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- cfappman access attempt"; content:"/cfappman\\index.cfm"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS329 - SCAN-SATAN-FTPcheck";flags:PA; content:"pass -satan";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS330 - SCAN-SAINT-FTPcheck";flags:PA; content:"pass -saint";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"SCAN-pISS-FTPcheck";flags:PA; content:"pass -cklaus";) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS331 - SCAN-ISS-FTPcheck";flags:PA; content:"pass -iss@iss";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN-Whisker!";flags:PA; content:"HEAD/./";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Shopping cart access attempt"; content:"/quikstore.cfg"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- BigConf access attempt"; content:"/bigconf.cgi"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- HEAD"; content:"HEAD"; offset: 0; depth: 4; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (dsize: > 512; msg:"SCAN - Whisker Stealth Mode 4- head"; content:"|68 65 61 64|"; offset: 0; depth: 4;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Start Stop Web access attempt"; content:"/cfide/administrator/startstop.html"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- cfappman access attempt"; content:"/cfappman/index.cfm"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth - Mall log order access attempt"; content:"/mall_log_files/order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0149 - SCAN - Whisker Stealth Mode 8- wrap CGI access attempt"; content:"/cgi-bin\\wrap"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- Order log access attempt"; content:"/admin_files/order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- WS_FTP.INI access attempt "; content:"/ws_ftp.ini"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mylog access attempt"; content:"/mylog.phtml"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Handler CGI access attempt"; content:"/cgi-bin\\handler"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET any (msg:"IDS236 - SCAN-IP Eye SYN Scan"; flags: S; seq: 1958810375;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- DBML Parser access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- IIS search97 access attempt"; content:"/search97.vts"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Mall log order access attempt"; content:"/mall_log_files\\order.log"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Start Stop Web access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 21 (msg:"IDS332 - SCAN-ADM-FTPcheck";flags:PA; content:"PASS ddd@|0a|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth- mlog access attempt"; content:"/mlog.phtml"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0039 - SCAN - Whisker Stealth Mode 8- Web Distribution access attempt"; content:"/cgi-bin\\webdist.cgi"; nocase; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 32771: (msg:"IDS26 - NFS Showmount"; flags:PA; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; offset: 16; depth: 32;) alert udp !$HOME_NET any -> $HOME_NET 53 (msg:"IDS277 - NAMED Iquery Probe"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Order log access attempt"; content:"/admin_files\\order.log"; nocase; flags: PA;) # SMTP alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS373 - SMTP-vrfy-decode";flags:PA; content:"vrfy decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS32 - SMTP-expn-decode";flags:PA; content:"expn decode";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS124 - SMTP-exploit8610ha";flags:PA; content:"Croot|09090909090909|Mprog,P=/bin";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS139 - CVE-1999-0204 - SMTP-exploit869a";flags:PA; content:"|0a|C|3a|daemon|0a|R";) alert tcp !$HOME_NET 113 -> $HOME_NET 25 (msg:"IDS140 - CVE-1999-0204 - SMTP-exploit869b";flags:PA; content:"|0a|D/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS142 - CVE-1999-0204 - SMTP-exploit869d";flags:PA; content:"|0a|Croot|0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS120 - SMTP-exploit41";flags:PA; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS119 - SMTP-exploit555";flags:PA; content:"mail from|3a20227c|";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS123 - SMTP-exploit8610";flags:PA; content:"Croot|0d0a|Mprog, P=/bin/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS122 - SMTP-exploit565";flags:PA; content:"MAIL FROM|3a207c|/usr/ucb/tail";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS266 - CAN-1999-0261 - SMTP Chameleon Overflow"; content: "HELP "; nocase; flags: PA; dsize: >500; depth: 5;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS31 - SMTP-expn-root";flags:PA; content:"expn root";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS143 - CVE-1999-0208 - SMTP-MajordomoIFS";flags:PA; content:"eply-to|3a| a~.`/bin/";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS141 - CVE-1999-0204 - SMTP-exploit869c";flags:PA; content:"|0a|Croot|0d0a|Mprog";) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS172 - CVE-1999-0095 - SMTP Exploit558"; flags: PA; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";) alert tcp $HOME_NET 25 -> !$HOME_NET any (msg:"IDS249 - SMTP Relaying Denied"; flags:AP; content: "5.7.1"; depth:70;) alert tcp !$HOME_NET any -> $HOME_NET 25 (msg:"IDS121 - SMTP-exploit564";flags:PA; content:"rcpt to|3a| decode";) # TELNET alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"IDS369 - TELNET - resolv_host_conf";flags:PA; content:"resolv_host_conf";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"IDS370 - TELNET - Livingston-DoS";flags:PA; content:"|fff3 fff3 fff3 fff3 fff3|";) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg:"IDS367 - TELNET - ld_library_path";flags:PA; content:"ld_library_path";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS366 - TELNET - WinGate-Active"; content:"WinGate>"; flags:PA;) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS365 - TELNET - NotOnConsole"; flags:PA; content:"not on system console"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 23 (msg: "IDS304 - TELNET - SGI telnetd format bug"; flags:PA; content: "_RLD"; content: "/bin/sh";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"TELNET - Attempted SU from wrong group"; content: "|74 6F 20 73 75 20 72 6F 6F 74 2E|";) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS127 - TELNET - Login Incorrect"; content:"Login incorrect"; flags:PA;) alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS08 - TELNET - daemon-active";flags:PA; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|";) # VIRUS alert tcp any 110 -> $HOME_NET any (msg:"MAILVIRUS - Possible Incoming eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MAILVIRUS - Possible Outgoing eurocalculator.exe file"; content: "filename="; content:"eurocalculator.exe"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"MAILVIRUS - Successful eurocalculator execution"; flags:PA; content: "funguscrack@hotmail.com"; nocase;) alert tcp any any -> any 25 (msg:"VIRUS - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon";) alert tcp any any -> any 110 (msg:"VIRUS - Possible Pikachu Pokemon Virus"; flags:PA; content:"Pikachu Pokemon";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Tune.vbs"; content: "filename=\"tune.vbs""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Papa Worm"; content:"filename=\"XPASS.XLS\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Suppl Worm"; content:"filename=\"Suppl.doc\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming wscript.KakWorm"; content: "filename=\"KAK.HTA""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Video Worm"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Word Macro - VALE"; content: "filename=\"MONEY.DOC""; nocase;) alert tcp !$HOME_NET 110 -> $HOME_NET any (msg:"Virus - Possible Incoming IROK Worm"; content:"filename=\"irok.exe\""; nocase;) alert tcp any any -> $HOME_NET 6667 (flags: PA; content: "USER "; nocase; offset:0; depth:5; content: " "; offset:11; depth:1; content: " "; offset: 18; depth:1; content: " :"; offset: 26; depth: 2; msg: "PrettyPark activity!";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Fix2001 Worm"; content:"filename=\"Fix2001.exe\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming The_Fly Trojan"; content: "filename=\"THE_FLY.CHM""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - party.exe"; content: "filename=\"PARTY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - hog.exe"; content: "filename=\"HOG.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - boss.exe"; content: "filename=\"BOSS.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming ToadieE-mail Trojan"; content:"filename=\"Toadie.exe\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming PrettyPark Trojan"; content:"\\CoolProgs\\";offset:300;depth:750;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - copier.exe"; content: "filename=\"COPIER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - saddam.exe"; content: "filename=\"SADDAM.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - monica.exe"; content: "filename=\"MONICA.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - theobbq.exe"; content: "filename=\"THEOBBQ.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - panther.exe"; content: "filename=\"PANTHER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - chestburst.exe"; content: "filename=\"CHESTBURST.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - farter.exe"; content: "filename=\"FARTER.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Simbiosis Worm"; content: "filename=\"SETUP.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - gadget.exe"; content: "filename=\"GADGET.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp any any -> any 25 (msg:"Possible MailVirus - Outgoing .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp any 110 -> any any (msg:"Possible MailVirus - Incoming .VBS"; content:"multipart"; content:"name="; content:".vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing MyPics Worm"; content: "|6E 61 6D 65 20 3D 22 70 69 63 73 34 79 6F 75 2E 65 78 65 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Triplesix Worm"; content: "filename=\"666TEST.VBS\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"Explorer.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing BADASS Worm"; content: "|6E 61 6D 65 20 3D 22 42 41 44 41 53 53 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Suppl Worm"; content:"filename=\"Suppl.doc\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing ExploreZip.B Worm"; content: "|6E 61 6D 65 20 3D 22 46 69 6C 65 5F 7A 69 70 70 61 74 69 2E 65 78 65 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Passion Worm"; content: "filename=\"ICQ_GREETINGS.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - fborfw.exe"; content: "filename=\"FBORFW.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Common Sense Worm"; content: "|6E 61 6D 65 20 3D 22 54 48 45 5F 46 4C 59 2E 43 48 4D 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Freelink Worm"; content:"|4C 49 4E 4B 53 2E 56 42 53|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"RESUME1.DOC\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Babylonia - X-MAS.exe"; content: "|6E 61 6D 65 20 3D 22 58 2D 4D 41 53 2E 45 58 45 22|";) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possible Incoming Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - g-zilla.exe"; content: "filename=\"G-ZILLA.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Bubbleboy Worm"; content:"BubbleBoy is back!";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing IROK Worm"; content:"filename=\"irok.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing CheckThis Trojan"; content:"|6E 61 6D 65 20 3D 22 6C 69 6E 6B 73 2E 76 62 73 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Happy99 Virus"; content:"X-Spanska\:Yes";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing PrettyPark Trojan"; content:"\CoolProgs\";offset:300;depth:750;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - irnglant.exe"; content: "filename=\"IRNGLANT.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing ToadieE-mail Trojan"; content:"filename=\"Toadie.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Y2K Zelu Trojan"; content: "filename=\"Y2K.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cooler3.exe"; content: "filename=\"COOLER3.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cooler1.exe"; content: "filename=\"COOLER1.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - video.exe"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - goal1.exe"; content: "filename=\"GOAL1.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - baby.exe"; content: "filename=\"BABY.EXE\""; nocase;) alert tcp any 110 -> $HOME_NET any (msg:"Virus - Possbile Incoming Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - bboy.exe"; content: "filename=\"BBOY.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing The_Fly Trojan"; content: "filename=\"THE_FLY.CHM\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - goal.exe"; content: "filename=\"GOAL.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Papa Worm"; content:"filename=\"XPASS.XLS\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|47 6F 6F 64 20 54 69 6D 65 73|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|4E 65 77 20 44 65 76 65 6C 6F 70 6D 65 6E 74 73|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content: "|6E 61 6D 65 20 3D 22 57 57 49 49 49 21|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NAIL Worm"; content:"|4D 61 72 6B 65 74 20 73 68 61 72 65 20 74 69 70 6F 66 66|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possbile Outgoing Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|";) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Fix2001 Worm"; content:"filename=\"Fix2001.exe\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - pirate.exe"; content: "filename=\"PIRATE.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"DINHEIRO.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Word Macro - VALE"; content: "filename=\"MONEY.DOC\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing wscript.KakWorm"; content: "filename=\"KAK.\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Tune.vbs"; content: "filename=\"tune.vbs\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - cupid2.exe"; content: "filename=\"CUPID2.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing Video Worm"; content: "filename=\"VIDEO.EXE\""; nocase;) alert tcp $HOME_NET any -> any 25 (msg:"Virus - Possible Outgoing NewApt.Worm - casper.exe"; content: "filename=\"CASPER.EXE\""; nocase;) # WEB-CGI alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS412 - Web cgi imagemap overflow"; dsize: >1000; flags: A; content: "imagemap.exe?"; depth: 32; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS413 - Web cgi imagemap overflow psh"; dsize: >1000; flags: AP; content: "imagemap.exe?"; depth: 32; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS290 - WEB-CGI - infosearch fname"; flags:PA; content: "fname=|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI - cvsweb.cgi attempt"; flags:PA; content:"cvsweb.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Rguest CGI access attempt";flags:PA; content:"/rguest.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Glimpse CGI access attempt";flags:PA; content:"/glimpse"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS228 - CVE-1999-0237 - Guestbook CGI access attempt";flags:PA; content:"/cgi-bin/guestbook.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS235 - CVE-1999-0148 - CGI-HANDLERprobe!"; flags:PA; content:"/handler"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0264 - WEB-CGI-Htmlscript CGI access attempt";flags:PA; content:"/htmlscript"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0266 - WEB-CGI-Info2 www CGI access attempt";flags:PA; content:"/info2www"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Maillist CGI access attempt";flags:PA; content:"/maillist.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS224 - CVE-1999-0045 - NPH CGI access attempt";flags:PA; content:"nph-test-cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-NPH-publish CGI access attempt";flags:PA; content:"nph-publish"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS221 - CVE-1999-0612 - Finger CGI access attempt";flags:PA; content:"cgi-bin/finger"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS232 - WEB-CGI-PHP CGI access attempt";flags:PA; content:"php.cgi?/"; offset: 5; depth: 32; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0262 - WEB-CGI-Faxsurvey probe"; flags:PA; content:"/faxsurvey"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rwwwshell CGI access attempt";flags:PA; content:"rwwwshell.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS218 - CVE-1999-0070 - TEST-CGI probe"; flags:PA; content:"test-cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Textcounter CGI access attempt";flags:PA; content:"textcounter.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0177 - WEB-CGI-Upload CGI access attempt";flags:PA; content:"uploader.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0039 - WEB-CGI-Webdist CGI access attempt";flags:PA; content:"webdist.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Perlshop CGI access attempt";flags:PA; content:"/perlshop.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI view-source access attempt";flags:PA; content:"/view-source?../../../../../../../etc/passwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0147 - WEB-CGI-Aglimpse CGI access attempt";flags:PA; content:"/aglimpse"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS225 - CVE-1999-0066 - CGI-AnyForm access attempt";flags:PA; content:"/AnForm2"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Args CGI access attempt";flags:PA; content:"/args.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AT-admin CGI access attempt";flags:PA; content:"/AT-admin.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Bnbform CGI access attempt";flags:PA; content:"/bnbform.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0146 - WEB-CGI-Campas CGI access attempt";flags:PA; content:"/campas"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-CGI Man access attempt";flags:PA; content:"/man.sh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Files CGI access attempt";flags:PA; content:"/files.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0270 - WEB-CGI-CGI pf display access attempt";flags:PA; content:"/pfdisplay.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Webgais CGI access attempt";flags:PA; content:"webgais"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Cgichk Pf display access attempt";flags:PA; content:"/pfdispaly.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "CVE-1999-0149 - IDS234 - WEB CGI Wrap"; flags:PA; content: "wrap?/";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0934 - WEB-CGI-Classifieds CGI access attempt";flags:PA; content:"cgi-bin/classifieds.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Edit CGI access attempt";flags:PA; content:"/edit.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Environ CGI access attempt";flags:PA; content:"/environ.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-WWW-SQL CGI access attempt";flags:PA; content:"www-sql"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Filemail CGI access attempt";flags:PA; content:"/filemail.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS219 - WEB-CGI-Perl access attempt";flags:PA; content:"perl.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS220 - WEB-CGI-snork.bat";flags:PA; content:"snork.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bash shell";flags:PA; content:"/bash"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-csh shell";flags:PA; content:"cgi-bin/csh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datacopier.cgi";flags:PA; content:"/day5datacopier.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-day5datanotifier.cgi";flags:PA; content:"/day5datanotifier.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ksh shell";flags:PA; content:"/ksh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-post-query";flags:PA; content:"/post-query"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0196 - WEB-CGI-Websendmail CGI access attempt";flags:PA; content:"websendmail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rsh";flags:PA; content:"/rsh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-bb-hist.sh";flags:PA; content:"/bb-hist.sh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-snorkerz.cmd";flags:PA; content:"snorkerz.cmd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0936 - WEB-CGI-survey";flags:PA; content:"survey.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-tsch shell";flags:PA; content:"tcsh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0236 - IDS227 - Web-CGI-Scriptalias"; flags: PA; content: "///";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0276 - IDS211 - Web-CGI-w3-msql-solx86"; flags: PA; content: "//bin//shA-cA//usr//openwin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS231 - CVE-1999-0178 - CGI-win-c-sample"; flags: PA; content: "win-c-sample.exe"; nocase;) alert tcp $HOME_NET 80 -> !$HOME_NET any (msg:"IDS276 - Bugzilla 2.8 Exploit"; flags:PA; content: "blaat@blaat.com"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-rksh";flags:PA; content:"/rksh"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wais";flags:PA; content:"wais.pl";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-Wguest CGI access attempt";flags:PA; content:"wguest.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-LWGate Attempt";flags:PA; content:"/LWGate"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-archie";flags:PA; content:"/archie"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-calendar";flags:PA; content:"cgi-bin/calendar"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-flexform";flags:PA; content:"/flexform"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS226 - CVE-1999-0172 - CGI-formmail";flags:PA; content:"/formmail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-redirectt";flags:PA; content:"/redirect"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-visadmin.exe";flags:PA; content:"visadmin.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-w2tvars";flags:PA; content:"w3tvars.pm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-dumpenv.pl";flags:PA; content:"/dumpenv.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-wwwadmin";flags:PA; content:"wwwadmin.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-ppdscgi";flags:PA; content:"/ppdscgi.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-sendform.cgi";flags:PA; content:"sendform.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-upload.pl";flags:PA; content:"upload.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-AnyForm2";flags:PA; content:"/AnyForm2"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-CGI-MachineInfo";flags:PA; content:"/MachineInfo"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS128 - CVE-1999-0067 - CGI phf attempt";flags:PA; content:"/phf";flags:AP; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0276 - IDS210 - WEB-CGI-w3-msql";flags:PA; content:"w3-msql"; nocase;) # WEB COLDFUSION alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc dsn";flags:PA; content:"CFUSION_GETODBCDSN()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-encrypt";flags:PA; content:"CFUSION_ENCRYPT()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasource";flags:PA; content:"CF_ISCOLDFUSIONDATASOURCE()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourcepassword";flags:PA; content:"CF_SETDATASOURCEPASSWORD()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-datasourceusername";flags:PA; content:"CF_SETDATASOURCEUSERNAME()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-db connections flush";flags:PA; content:"CFUSION_DBCONNECTIONS_FLUSH()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-display";flags:PA; content:"cfdocs/expeval/displayopenedfile.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-evaluate";flags:PA; content:"cfdocs/snippets/evaluate.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-beaninfo";flags:PA; content:"cfdocs/examples/cvbeans/beaninfo.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-cfappman";flags:PA; content:"/cfappman/index.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-Example-parks";flags:PA; content:"cfdocs/examples/parks/detail.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0455 - ColdFusion-exprcalc";flags:PA; content:"cfdocs/expeval/exprcalc.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-admin-decrypt";flags:PA; content:"CFUSION_DECRYPT()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get datasourceusername";flags:PA; content:"CF_GETDATASOURCEUSERNAME()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS269 - CAN-2000-0189 - Coldfusion onrequestend.cfm"; flags: PA; content: "onrequestend.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-get odbc ini";flags:PA; content:"CFUSION_GETODBCINI()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-gettempdirectory";flags:PA; content:"cfdocs/snippets/gettempdirectory.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-mainframeset";flags:PA; content:"cfdocs/examples/mainframeset.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS250 - CAN-1999-0477 - ColdFusion-openfile";flags:PA; content:"cfdocs/expeval/openfile.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sendmail";flags:PA; content:"cfdocs/expeval/sendmail.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-set odbc ini";flags:PA; content:"CFUSION_SETODBCINI()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-settings refresh";flags:PA; content:"CFUSION_SETTINGS_REFRESH()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-sourcewindow";flags:PA; content:"cfdocs/exampleapp/docs/sourcewindow.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-verify mail";flags:PA; content:"CFUSION_VERIFYMAIL()"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-viewexample";flags:PA; content:"cfdocs/snippets/viewexample.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-COLDFUSION-cfmlsyntaxcheck";flags:PA; content:"cfdocs/cfmlsyntaxcheck.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS268 - CAN-2000-0189 - Coldfusion application.cfm"; flags: PA; content: "application.cfm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"ColdFusion-fileexists";flags:PA; content:"cfdocs/snippets/fileexists.cfm"; nocase;) # WEB FRONTPAGE alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS292 - WEB FRONTPAGE - Frontpage-shtml.dll"; content: "_vti_bin/shtml.dll"; nocase; flags: AP;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results";flags:PA; content:"_private/form_results.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.htm";flags:PA; content:"_private/orders.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpsrvadm.exe";flags:PA; content:"fpsrvadm.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpremadm.exe";flags:PA; content:"fpremadm.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-fpadmin.htm";flags:PA; content:"admisapi/fpadmin.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-access.cnf";flags:PA; content:"_vti_pvt/access.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-form_results.htm";flags:PA; content:"_private/form_results.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.txt";flags:PA; content:"_private/register.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-contents.htm";flags:PA; content:"admcgi/contents.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-cfgwiz.exe";flags:PA; content:"cfgqiz.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-authors.pwd";flags:PA; content:"authors.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-author.exe";flags:PA; content:"_vti_bin/_vti_aut/author.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-administrators.pwd";flags:PA; content:"administrators.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-admin.pl";flags:PA; content:"admin.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-Fpadmcgi.exe";flags:PA; content:"scripts/Fpadmcgi.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-register.htm";flags:PA; content:"_private/register.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.htm";flags:PA; content:"_private/registrations.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-registrations.txt";flags:PA; content:"_private/registrations.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.cnf";flags:PA; content:"_vti_pvt/service.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.pwd";flags:PA; content:"service.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-service.stp";flags:PA; content:"_vti_pvt/service.stp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-services.cnf";flags:PA; content:"_vti_pvt/services.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.dll";flags:PA; content:"_vti_bin/shtml.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-shtml.exe";flags:PA; content:"_vti_bin/shtml.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-svcacl.cnf";flags:PA; content:"_vti_pvt/svcacl.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-users.pwd";flags:PA; content:"users.pwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-writeto.cnf";flags:PA; content:"_vti_pvt/writeto.cnf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS248 - Web-Frontpage fourdots request"; flags: PA; content: "|2e 2e 2e 2e 2f|"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-2000-0260 - IDS271 - WEB-FrontPage - dvwssr request"; flags: PA; content: "dvwssr.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"FrontPage-orders.txt";flags:PA; content:"_private/orders.txt"; nocase;) # WEB IIS alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS434 - WEB IIS - Unicode traversal backslash"; flags: AP; content: "..|25|c1|25|9c"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS433 - WEB-IIS - Unicode traversal optyx"; flags: AP; content: "..|25|c0|25|af"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS432 - WEB IIS - Unicode traversal"; flags: AP; content: "..|25|c1|25|1c"; nocase;) alert tcp any 80 -> any any (msg:"WEB-IIS - Unauthorized IP Access Attempt"; flags:PA; content:"403"; content:"Forbidden\:";) alert tcp any 80 -> any any (msg:"WEB-IIS - Unauthorized Login Attempt"; flags:PA; content:"401"; content:"Unauthorized\:";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS305 - WEB IIS - View Source via Translate Header"; flags:PA; content: "Translate|3a| F"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-isc$data";flags:PA; content:".idc|3a3a|$data"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0449 - IIS-codebrowser Exair";flags:PA; content:"iissamples/exair/howitworks/codebrws.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-codebrowser SDK";flags:PA; content:"iissamples/sdk/asp/docs/codebrws.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-ctguestb.idc";flags:PA; content:"scripts/samples/ctguestb.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-del";flags:PA; content:"&del+/s+c|3a|\\*.*"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-details.idc";flags:PA; content:"scripts/samples/details.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-exec-srch";flags:PA; content:"#filename=*.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-fpcount";flags:PA; content:"scripts/fpcount.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvrs";flags:PA; content:"scripts/tools/getdrvrs.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-cmd?";flags:PA; content:".cmd?&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-iisadmpwd";flags:PA; content:"iisadmpwd/aexp3.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bdir";flags:PA; content:"scripts/iisadmin/bdir.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-msadc/msadcs.dll";flags:PA; content:"msadc/msadcs.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-MSProxy";flags:PA; content:"scripts/proxy/w3proxy.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-idc-srch";flags:PA; content:"#filename=*.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0278 - IIS-asp$data";flags:PA; content:".asp|3a3a|$data"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0874 - IIS-*.idc";flags:PA; content:"*.idc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_Site Server Config";flags:PA; content:"adsamples/config/site.csc"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-_vti_inf";flags:PA; content:"_vti_inf.html"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin";flags:PA; content:"scripts/iisadmin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-default";flags:PA; content:"scripts/iisadmin/default.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-catalog_type";flags:PA; content:"AdvWorks/equipment/catalog_type.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll-serv";flags:PA; content:"scripts/iisadmin/ism.dll?http/serv"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-CGImail";flags:PA; content:"scripts/CGImail.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-dot";flags:PA; content:".asp."; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-asp-srch";flags:PA; content:"#filename=*.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-bat?";flags:PA; content:".bat?&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-SAM Attempt";flags:PA; content:"sam._"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-carbo.dll";flags:PA; content:"carbo.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0191 - IIS-newdsn";flags:PA; content:"scripts/tools/newdsn.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-admin-dll";flags:PA; content:"scripts/iisadmin/ism.dll?http/dir"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS - Possible Attempt at FPCOUNT.EXE DoS"; flags:PA; content:"fpcount.exe"; content:"Digits=-"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-anot3.htr Attempt";flags:PA; content:"iisadmpwd/anot3.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-getdrvs.exe";flags:PA; content:"scripts/tools/getdrvs.exe"; nocase;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1038 (msg:"IIS - Possible Attempt at NT TCPSVCS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1043 (msg:"IIS - Possible Attempt at NT WINS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1091 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse0a";flags:PA; content:"%0a.pl"; nocase;) alert tcp !$HOME_NET 1024: -> $HOME_NET 1031:1035 (msg:"IIS - Possible Attempt at NT INETINFO.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp4.htr Attempt";flags:PA; content:"iisadmpwd/aexp4.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS200 - Web-IIS Encoding"; flags:PA; content: "|25 31 75|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IIS - IDS237 Webhits"; content: ".htw"; flags: PA; dsize: >400;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB IIS - Index Server File Sourcecode Request"; flags:PA; content:"?CiWebHitsFile=/"; content:"&CiRestriction=none&CiHiliteType=Full";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-IIS ISM.DLL Exploit Attempt"; flags:PA; content:"%20%20%20%20%20.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"Attempt to retrieve ASP contents"; flags:PA; content:"GET /null.htw?CiWebHitsFile";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"Attempt to retrieve ASP contents"; flags:PA; content:"%20&CiRestriction=none&CiHiliteType=Full HTTP/1.0";) alert tcp !$HOME_NET 1024: -> $HOME_NET 1029 (msg:"IIS - Possible Attempt at NT DNS.EXE 100% CPU Utilization"; flags:S;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srchadm";flags:PA; content:"srchadm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl";flags:PA; content:"scripts/perl?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0253 - IIS-%2E-asp";flags:PA; content:"%2e.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-perl-browse20";flags:PA; content:"%20.pl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-scripts-browse";flags:PA; content:"scripts/|20|"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-search97";flags:PA; content:"search97.vts";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0736 - IIS-showcode";flags:PA; content:"/selector/showcode.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-anot.htr Attempt";flags:PA; content:"iisadmpwd/anot.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.htm";flags:PA; content:"samples/isapi/srch.htm"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp4b.htr Attempt";flags:PA; content:"iisadmpwd/aexp4b.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-uploadn";flags:PA; content:"scripts/uploadn.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-achg.htr Attempt";flags:PA; content:"iisadmpwd/achg.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp.htr Attempt";flags:PA; content:"iisadmpwd/aexp.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp2.htr Attempt";flags:PA; content:"iisadmpwd/aexp2.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0407 - IIS-aexp2b.htr Attempt";flags:PA; content:"iisadmpwd/aexp2b.htr"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-Overflow-htr";flags:PA; content:"BBBB.htrHTTP"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IIS-srch.asp";flags:PA; content:"/issamples/query.asp"; nocase;) # WEB MISC alert tcp any any -> any 80 (msg: "IDS430 - WEB-MISC - PHP strings exploit portal tf8"; flags: AP; content: "?STRENGUR ";) alert tcp any any -> any 80 (msg: "IDS431 - WEB-MISC - PHP strings exploit atstake"; flags: AP; content: "|ba49feffff f7d2 b9bfffffff f7d1|";) alert tcp any any -> any 80 (msg:"WEB-MISC - WebStore Directory Traversal"; content:"web_store.cgi?page=../..";) alert tcp any any -> any any (msg:"WEB-MISC - 403 Forbidden";flags:PA; content:"HTTP/1.1 403";) alert tcp any any -> any 80 (msg:"WEB-MISC - Moreover CGI Shopping Cart Directory Traversal" flags:PA; content:"cached_feed.cgi"; content:"../";) alert tcp any any -> any 80 (msg:"WEB-MISC - Armada Style Master Index Directory Traversal"; flags:PA; content:"search.cgi?keys"; content:"catigory=../";) alert tcp any any -> any 80 (msg:"WEB-MISC - Alaire Pro Web Shell Exploit"; flags:PA; content:"authenticate.cgi?PASSWORD"; content:"config.ini";) alert tcp any any -> any 80 (msg:"WEB-MISC - Hassan Consulting's Shopping Cart Directory Traversal"; flags:PA; content:"shop.cgi"; content:"page=../";) alert tcp any any -> any 80 (msg:"WEB-MISC - eXtropia WebStore Directory Traversal Vulnerability"; flags:PA; content:"web_store.cgi"; content:"page=../";) alert tcp any 80 -> any any (msg:"WEB-MISC - Invalid URL"; content:"Invalid URL"; nocase;) alert tcp !$HOME_Net any -> $HOME_NET 80 (msg:"WEB-MISC - SmartWin CyberOffice Shopping Cart 2.0 Information Disclosure Vulnerability";flags:PA; content:"_private/shopping_cart.mdb";) alert tcp !$HOME_Net any -> $HOME_NET 80 (msg:"WEB-MISC - Talentsoft Web+ Internal IP Address Disclosure Vulnerability";flags:PA; content:"webplus.exe?about";) alert tcp !$HOME_Net any -> $HOME_NET 80 (msg:"WEB-MISC - Talentsoft Web+ Source Code Disclosure Vulnerability";flags:PA; content:"webplus.exe?script=test.wml";) alert tcp !$HOME_Net any -> $HOME_NET 80 (msg:"WEB-MISC - Talentsoft Web+ File Disclosure Vulnerability";flags:PA; content:"webplus.cgi?Script=/webplus/webping/webping.wml";) alert tcp !$HOME_Net any -> $HOME_NET 80 (msg:"WEB-MISC - Talentsoft Web+ exploit attempt"; flags:PA; content:"webplus.cgi?Script=/webplus/webping/webping.wml";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - TOMCAT Server Snoop file access"; flags:PA; content:"jsp/snp/anything.snp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - TOMCAT Server Exploit Attempt"; flags:PA; content:"contextAdmin/contextAdmin.html"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Attempt to pull Netscape Admin Password from Server"; flags:PA; content:"admin-serv/config/admpw"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Apache source.asp file access"; flags:PA; content:"/site/eg/source.asp"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS297 - WEB MISC - http-directory-traversal 1"; flags:PA; content: "../";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS298 - WEB MISC - http-directory-traversal 2"; flags:PA; content: "..\\";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - ROXEN Directory list attempt"; flags:PA; content:"|2F 25 30 30 2F|"; nocase;) alert tcp $HOME_NET 80 -> !$HOME_NET any (msg:"CAN-2000-0483 - MISC - WebsitePro 2.5 and under have known exploits - upgrade"; content:"WebSitePro2."; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-prefix-get //";flags:PA; content:"get //"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ICQ webserver";flags:PA; content:".html/......"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-DelDoc";flags:PA; content:"?DeleteDocument"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Lotus-EditDoc";flags:PA; content:"?EditDocument"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ls%20-l";flags:PA; content:"ls%20-l"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mlog";flags:PA; content:"mlog.phtml?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-mylog";flags:PA; content:"mylog.phtml?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-OReilly args.bat";flags:PA; content:"cgi-dos/args.bat"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-PageService";flags:PA; content:"?PageServices"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-webcart";flags:PA; content:"/webcart/"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-AuthChangeUrl";flags:PA; content:"_AuthChangeUrl?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-convert.bas Attempt";flags:PA; content:"scripts/convert.bas"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cpshost.dll Attempt";flags:PA; content:"scripts/cpshost.dll"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-cmd.exe Attempt";flags:PA; content:"scripts/../../cmd.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-etc/passwd";flags:PA; content:"etc/passwd"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cd..";flags:PA; content:"cd.."; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-OReilly win-c-sample.exe";flags:PA; content:"cgi-shl/win-c-sample.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-catalog.nsf";flags:PA; content:"catalog.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-/....";flags:PA; content:"|2f2e2e2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-///cgi-bin";flags:PA; content:"///cgi-bin"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-~root";flags:PA; content:"~root"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-ApacheDOS";flags:PA; content:"|2f2f2f2f2f2f2f2f|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cat%20";flags:PA; content:"cat%20"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-usr-prop";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0021 - WEB-count.cgi";flags:PA; content:"count.cgi"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.htaccess";flags:PA; content:".htaccess"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"orders/import.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domcfg.nsf";flags:PA; content:"domcfg.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-domlog.nsf";flags:PA; content:"domlog.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-log.nsf";flags:PA; content:"log.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Domino-names.nsf";flags:PA; content:"names.nsf"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-check.txt";flags:PA; content:"config/check.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-checks.txt";flags:PA; content:"orders/checks.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-Ecommerce-import.txt";flags:PA; content:"config/import.txt"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-cgi-bin///";flags:PA; content:"cgi-bin///"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Webplus Access Detected"; content:"webplus?script"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-cs-dump";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1052 - Sojourn File Access"; flags:PA; content:"/sojourn.cgi?cat="; content:"%00"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1031 - SGI InfoSearch fname Access"; flags:PA; content:"infosrch.cgi?"; content:"fname="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-2000-0192 - BUGTRAQ ID 1036 - Caldera OpenLinux rpm_query Access"; flags:PA; content:"cgi-bin/rmp_query"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - SalesLogix Eviewer Web Shutdown"; flags:PA; content:"/slxweb.dll/admin?command="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - BizDB Script Exploit"; flags:PA; content:"bizdb1-search.cgi"; content:"mail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1057 - Trend Micro OfficeScan Access"; flags:PA; content:"officescan/cgi/jdkRqNotify.exe?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - windmail.exe Access Detected"; content:"windmail.exe?-n"; content:"mail"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-html-rend"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg: "IDS270 - WEB MISC - Netscape dir index wp"; flags:PA; content: "?wp-"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS272 - Piranha Passwd.php3"; flags:PA; content: "passwd.php3";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Novell Groupwise gwweb.exe access"; flags:PA; content:"GWWEB.EXE?HELP="; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - Cart 32 AdminPwd Access"; flags:PA; content:"c32web.exe/ChangeAdminPassword"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - architext_query.pl attempt"; content:"/ews/architext_query.pl"; nocase; flags:PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC - /cgi-bin/jj attempt"; content:"cgi-bin/jj"; nocase; flags:PA; ) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-1999-0953 - WEB-MISC - wwwboard.pl attempt"; content:"cgi-bin/wwwboard.pl"; nocase; flags:PA; ) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"MISC WEB - Netscape PublishingXpert 2 Exploit"; flags:PA; content:"/PSUser/PSCOErrPage.htm?"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS265 - Web cgi cgitest"; content: "cgitest.exe|0d0a|user"; nocase; flags: AP; offset: 4;) alert tcp !$HOME_NET any -> $HOME_NET 457 (msg:"IDS180 - WEB-netscape-overflow-unixware"; content: "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"; flags: PA;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS205 - WEB-MISC - Phorum Admin"; flags: AP; content:"admin.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS206 - WEB-MISC - Phorum Auth"; flags: AP; content:"PHP_AUTH_USER=boogieman"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS207 - WEB-MISC - Phorum Code"; flags: AP; content:"code.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS208 - WEB-MISC - Phorum Read"; flags: AP; content:"read.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS209 - WEB-MISC - Phorum Violation"; flags: AP; content:"violation.php3"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CVE-2000-0169 - BUGTRAQ ID 1053 - Oracle Web Listener Batch Access"; flags:PA; content:"ows-bin/&"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"IDS258 - Web cgi get32.exe"; flags:PA; content: "get32.exe"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"WEB-MISC-.wwwacl";flags:PA; content:"secure/wwwacl"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"CAN-1999-0229 - IIS WEB-..\..";flags:PA; content:"|2e2e5c2e2e|";) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-info";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-ver-diff";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-verify-link";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-start-ver";nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-stop-ver"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 1063 - Netscape Enterprise Server Directory View"; flags:PA; content:"?wp-uncheckout"; nocase;) alert tcp !$HOME_NET any -> $HOME_NET 2301 (msg:"IDS244 - CVE-1999-0771 - Compaq-insight-dot-dot"; content: "../";)