Documente Academic
Documente Profesional
Documente Cultură
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111110000755100022721000227210000000000011251736640410145121
5
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111ustar
1vrtbuild111111111111111111111111vrtbuild11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111communityrules/community.rules
1111111111111111111111111111111111111111111111111111111111111111111110000
644100022721000227210000524347411251736640310176341
0
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111ustar
1vrtbuild111111111111111111111111vrtbuild11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111# Copyright 2001-2015 Sourcefire, Inc. All
Rights Reserved.
#
# This file contains rules that were created by Sourcefire, Inc. and
other third parties
# (the "GPL Rules") that are distributed under the GNU General Public
License (GPL),
# v2. The GPL Rules created by Sourcefire are owned by Sourcefire, Inc.,
and the GPL
# Rules not created by Sourcefire are owned by their respective owners.
Please see
# the AUTHORS file included in the community package for a list of third
party owners and their
# respective copyrights.
#
# This file does not contain any Sourcefire VRT Certified Rules; the VRT
Certified
# Rules are distributed by Sourcefire separately under the VRT Certified
Rules License
# Agreement (v 2.0)
#
#----------------# COMMUNITY RULES
#----------------# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00
00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:miscactivity; sid:105; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR
QAZ Worm Client Login access"; flow:to_server,established;
content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775;
classtype:misc-activity; sid:108; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWAREBACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|
0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110;
rev:10;)
# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
NetBus Pro 2.0 connection established"; flow:to_client,established;
flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|";
depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset
community; classtype:trojan-activity; sid:115; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Infector.1.x"; flow:established,to_client; content:"WHATISIT";
metadata:ruleset community; reference:nessus,11157; classtype:miscactivity; sid:117; rev:16;)
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A|
"; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A|
Ready for commands"; distance:0; nocase; metadata:ruleset community;
reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260;
classtype:trojan-activity; sid:118; rev:12;)
# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use";
depth:32; metadata:ruleset community; classtype:misc-activity; sid:119;
rev:11;)
# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWAREBACKDOOR Infector 1.6 Client to Server Connection Request";
flow:to_server,established; content:"FC "; metadata:ruleset community;
reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;)
# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
HackAttack 1.20 Connect"; flow:established,to_client; content:"host";
metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm
ftp login attempt"; flow:to_server,established; content:"USER"; nocase;
content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi";
metadata:ruleset community, service ftp; classtype:suspicious-login;
sid:144; rev:16;)
# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWAREBACKDOOR NetSphere access"; flow:established,to_client;
content:"NetSphere"; metadata:ruleset community; classtype:trojanactivity; sid:146; rev:13;)
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
GateCrasher"; flow:established,to_client; content:"GateCrasher";
depth:11; nocase; content:"Server"; distance:0; nocase; content:"OnLine..."; distance:0; nocase;
pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+OnLine\x2E\x2E\x2E/smi"; metadata:ruleset community;
reference:url,www.spywareguide.com/product_show.php?id=973;
classtype:trojan-activity; sid:147; rev:11;)
# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWAREBACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client;
content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity;
sid:152; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR
BackConstruction 2.1 Client FTP Open Request";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP php.cgi access"; flow:to_server,established; content:"/php.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058;
reference:cve,1999-0238; reference:nessus,10178; classtype:attemptedrecon; sid:824; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP glimpse access"; flow:to_server,established; content:"/glimpse";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095;
classtype:attempted-recon; sid:825; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htmlscript access"; flow:to_server,established;
content:"/htmlscript"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2001; reference:cve,1999-0264;
reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP info2www access"; flow:to_server,established; content:"/info2www";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127;
classtype:attempted-recon; sid:827; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP maillist.pl access"; flow:to_server,established;
content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:828; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nphtest-cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,686; reference:cve,1999-0045;
reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:nessus,10173;
reference:url,www.cert.org/advisories/CA-1996-11.html;
classtype:attempted-recon; sid:832; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rguest.exe access"; flow:to_server,established;
content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2024; reference:cve,1999-0287;
classtype:attempted-recon; sid:833; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rwwwshell.pl access"; flow:to_server,established;
content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:url,www.itsecurity.com/papers/p37.htm;
classtype:attempted-recon; sid:834; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282;
classtype:attempted-recon; sid:835; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP textcounter.pl access"; flow:to_server,established;
content:"/textcounter.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP view-source directory traversal"; flow:to_server,established;
content:"/view-source"; fast_pattern; nocase; http_uri; content:"../";
http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174;
classtype:web-application-attack; sid:848; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP view-source access"; flow:to_server,established; content:"/viewsource"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,19990174; classtype:attempted-recon; sid:849; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wais.pl access"; flow:to_server,established; content:"/wais.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:850; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP files.pl access"; flow:to_server,established; content:"/files.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wguest.exe access"; flow:to_server,established;
content:"/wguest.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2024; reference:cve,1999-0287;
reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wrap access"; flow:to_server,established; content:"/wrap";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317;
classtype:attempted-recon; sid:853; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP classifieds.cgi access"; flow:to_server,established;
content:"/classifieds.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2020; reference:cve,1999-0934;
classtype:attempted-recon; sid:854; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP environ.cgi access"; flow:to_server,established;
content:"/environ.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:856; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP faxsurvey access"; flow:to_server,established;
content:"/faxsurvey"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2056; reference:cve,1999-0262;
reference:nessus,10067; classtype:web-application-activity; sid:857;
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP filemail access"; flow:to_server,established;
content:"/filemail.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1154; classtype:attemptedrecon; sid:858; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP man.sh access"; flow:to_server,established; content:"/man.sh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2276; reference:cve,1999-1179; classtype:attemptedrecon; sid:859; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP snork.bat access"; flow:to_server,established;
content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2023; reference:cve,1999-0233;
classtype:attempted-recon; sid:860; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276;
reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296;
classtype:attempted-recon; sid:861; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csh access"; flow:to_server,established; content:"/csh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:attempted-recon; sid:862; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP day5datacopier.cgi access"; flow:to_server,established;
content:"/day5datacopier.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-1232;
classtype:attempted-recon; sid:863; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP day5datanotifier.cgi access"; flow:to_server,established;
content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-1232;
classtype:attempted-recon; sid:864; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ksh access"; flow:to_server,established; content:"/ksh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:attempted-recon; sid:865; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP post-query access"; flow:to_server,established; content:"/postquery"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,6752; reference:cve,2001-0291;
classtype:attempted-recon; sid:866; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP visadmin.exe access"; flow:to_server,established;
content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1808; reference:cve,1999-0970;
reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rsh access"; flow:to_server,established; content:"/rsh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:attempted-recon; sid:868; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dumpenv.pl access"; flow:to_server,established;
content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1178; reference:nessus,10060;
classtype:attempted-recon; sid:869; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP snorkerz.cmd access"; flow:to_server,established;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pals-cgi access"; flow:to_server,established; content:"/pals-cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217;
reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP commerce.cgi access"; flow:to_server,established;
content:"/commerce.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2361; reference:cve,2001-0210;
reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Amaya templates sendtemp.pl directory traversal attempt";
flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only;
http_uri; content:"templ="; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2504; reference:cve,2001-0272;
reference:nessus,10614; classtype:web-application-attack; sid:899;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webspirs.cgi directory traversal attempt";
flow:to_server,established; content:"/webspirs.cgi"; fast_pattern;
nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset
community, service http; reference:bugtraq,2362; reference:cve,2001-0211;
reference:nessus,10616; classtype:web-application-attack; sid:900;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webspirs.cgi access"; flow:to_server,established;
content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2362; reference:cve,2001-0211;
reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tstisapi.dll access"; flow:to_server,established;
content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2381; reference:cve,2001-0302;
classtype:attempted-recon; sid:902; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established;
content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,917; reference:cve,2000-0057;
classtype:attempted-recon; sid:903; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exampleapp application.cfm";
flow:to_server,established;
content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1021;
reference:cve,2000-0189; reference:cve,2001-0535; classtype:attemptedrecon; sid:904; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion application.cfm access";
flow:to_server,established;
content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535;
classtype:attempted-recon; sid:905; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established;
content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,229;
reference:cve,1999-0800; reference:cve,2001-0535; classtype:attemptedrecon; sid:906; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion addcontent.cfm access";
flow:to_server,established;
content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern;
nocase; http_uri; metadata:ruleset community, service http;
reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion administrator access"; flow:to_server,established;
content:"/cfide/administrator/index.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1314;
reference:cve,2000-0538; reference:nessus,10581; classtype:attemptedrecon; sid:908; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion datasource username attempt";
flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; classtype:webapplication-attack; sid:909; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion fileexists.cfm access";
flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm";
nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; classtype:attemptedrecon; sid:910; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exprcalc access"; flow:to_server,established;
content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,115;
reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760;
classtype:attempted-recon; sid:911; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion parks access"; flow:to_server,established;
content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,550;
reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfappman access"; flow:to_server,established;
content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:913; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion beaninfo access"; flow:to_server,established;
content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,550;
reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established;
content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion mainframeset access"; flow:to_server,established;
content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,550;
reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established;
content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:web-application-attack; sid:926; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion settings refresh attempt";
flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; classtype:webapplication-attack; sid:927; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exampleapp access"; flow:to_server,established;
content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset
community, service http; reference:cve,2001-0535; classtype:attemptedrecon; sid:928; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion CFUSION_VERIFYMAIL access";
flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user;
sid:929; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion snippets attempt"; flow:to_server,established;
content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,550; reference:cve,1999-0760;
classtype:attempted-recon; sid:930; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access";
flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm";
nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; classtype:attemptedrecon; sid:931; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion application.cfm access";
flow:to_server,established; content:"/application.cfm"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,550;
reference:cve,1999-0760; reference:cve,2000-0189; classtype:attemptedrecon; sid:932; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion onrequestend.cfm access";
flow:to_server,established; content:"/onrequestend.cfm"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189;
classtype:attempted-recon; sid:933; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established;
content:"/cfide/administrator/startstop.html"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,247;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage fpadmcgi.exe access";
flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase;
http_uri; metadata:ruleset community, service http; classtype:webapplication-activity; sid:946; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage orders.txt access"; flow:to_server,established;
content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:947;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage form_results access";
flow:to_server,established; content:"/_private/form_results.txt"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19991052; classtype:web-application-activity; sid:948; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage registrations.htm access";
flow:to_server,established; content:"/_private/registrations.htm";
nocase; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:949; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established;
content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:950; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage authors.pwd access";
flow:to_server,established; content:"/authors.pwd"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,989;
reference:cve,1999-0386; reference:nessus,10078; classtype:webapplication-activity; sid:951; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage author.exe access"; flow:to_server,established;
content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri;
metadata:ruleset community, service http; classtype:web-applicationactivity; sid:952; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage administrators.pwd access";
flow:to_server,established; content:"/administrators.pwd"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1205; classtype:web-application-activity; sid:953;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage form_results.htm access";
flow:to_server,established; content:"/_private/form_results.htm"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19991052; classtype:web-application-activity; sid:954; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage access.cnf access"; flow:to_server,established;
content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4078; reference:cve,2002-1717;
reference:nessus,10575; classtype:web-application-activity; sid:955;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage register.txt access";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage .... request"; flow:to_server,established;
content:"..../"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153;
reference:nessus,10142; classtype:web-application-attack; sid:966;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established;
content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1108; reference:bugtraq,1109;
reference:cve,2000-0260; reference:nessus,10369;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025;
classtype:web-application-activity; sid:967; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage register.htm access";
flow:to_server,established; content:"/_private/register.htm"; nocase;
http_uri; metadata:ruleset community, service http; classtype:webapplication-activity; sid:968; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK
"; depth:5; metadata:ruleset community, service http;
reference:bugtraq,2736; reference:nessus,10732; classtype:webapplication-activity; sid:969; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .printer access"; flow:to_server,established;
content:".printer"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2674; reference:cve,2001-0241;
reference:nessus,10661; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-023; classtype:web-application-activity;
sid:971; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661;
classtype:web-application-attack; sid:973; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Microsoft Windows IIS directory traversal attempt";
flow:to_server,established; content:"..|5C|.."; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2218;
reference:cve,1999-0229; classtype:web-application-attack; sid:974;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Alternate Data streams ASP file access attempt";
flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806;
classtype:web-application-attack; sid:975; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .bat? access"; flow:to_server,established; content:".bat?";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233;
reference:cve,2002-0061;
reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp;
reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp;
classtype:web-application-activity; sid:976; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cnf access"; flow:to_server,established; content:".cnf"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575;
classtype:web-application-activity; sid:977; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ASP contents view"; flow:to_server,established; content:"%20";
content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full";
fast_pattern:only; metadata:ruleset community, service http;
reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006;
classtype:web-application-attack; sid:978; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ASP contents view"; flow:to_server,established; content:".htw?
CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1861; reference:cve,2000-0942;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006;
classtype:web-application-attack; sid:979; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS CGImail.exe access"; flow:to_server,established;
content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1623; reference:cve,2000-0726;
reference:nessus,11721; classtype:web-application-activity; sid:980;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS JET VBA access"; flow:to_server,established;
content:"/scripts/samples/ctguestb.idc"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,307;
reference:cve,1999-0874; reference:nessus,10116; classtype:webapplication-activity; sid:984; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS JET VBA access"; flow:to_server,established;
content:"/scripts/samples/details.idc"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,286;
reference:cve,1999-0874; classtype:web-application-activity; sid:985;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MSProxy access"; flow:to_server,established;
content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset
community, service http; reference:url,support.microsoft.com/?
kbid=331066; classtype:web-application-activity; sid:986; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILEIDENTIFY .htr access file download request"; flow:to_server,established;
content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|
$)/smiU"; metadata:ruleset community, service http;
reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004;
reference:nessus,10680; reference:url,technet.microsoft.com/enus/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARECNC sensepost.exe command shell"; flow:to_server,established;
content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /SiteServer/Publishing/viewcode.asp access";
flow:to_server,established;
content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:nessus,10576;
classtype:web-application-activity; sid:1031; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS showcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19990737; reference:nessus,10576; reference:url,technet.microsoft.com/enus/security/bulletin/ms99-013; classtype:web-application-activity;
sid:1032; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp";
nocase; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0737; reference:nessus,10576;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013;
classtype:web-application-activity; sid:1033; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.as
p"; nocase; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0737; reference:nessus,10576;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013;
classtype:web-application-activity; sid:1034; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/enus/security/bulletin/ms99-013; classtype:web-application-activity;
sid:1035; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode access"; flow:to_server,established;
content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri;
metadata:ruleset community, service http; reference:cve,1999-0737;
reference:nessus,10576; reference:url,technet.microsoft.com/enus/security/bulletin/ms99-013; classtype:web-application-activity;
sid:1036; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS showcode.asp access"; flow:to_server,established;
content:"/showcode.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,167; reference:cve,1999-0736;
reference:nessus,10007; reference:url,technet.microsoft.com/enus/security/bulletin/MS99-013; classtype:web-application-activity;
sid:1037; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS site server config access"; flow:to_server,established;
content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,256; reference:cve,1999-1520;
classtype:web-application-activity; sid:1038; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS srch.htm access"; flow:to_server,established;
content:"/samples/isapi/srch.htm"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1039;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS srchadm access"; flow:to_server,established; content:"/srchadm";
nocase; http_uri; metadata:ruleset community, service http;
reference:nessus,11032; classtype:web-application-activity; sid:1040;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS uploadn.asp access"; flow:to_server,established;
content:"/scripts/uploadn.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1811; reference:cve,1999-0360;
classtype:web-application-activity; sid:1041; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS view source via translate header"; flow:to_server,established;
content:"Translate|3A| F"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,14764; reference:bugtraq,1578;
reference:cve,2000-0778; reference:nessus,10491; classtype:webapplication-activity; sid:1042; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode.asp access"; flow:to_server,established;
content:"/viewcode.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-0737; reference:nessus,10576;
classtype:web-application-activity; sid:1043; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS webhits access"; flow:to_server,established; content:".htw";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,950; reference:cve,2000-0097; classtype:webapplication-activity; sid:1044; rev:17;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVERIIS Unauthorized IP Access Attempt"; flow:to_client,established;
content:"403"; content:"Forbidden|3A|"; metadata:ruleset community,
service http; classtype:web-application-attack; sid:1045; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS site/iisamples access"; flow:to_server,established;
content:"/site/iisamples"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,10370; classtype:web-application-activity;
sid:1046; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise DOS"; flow:to_server,established;
content:"REVLOG / "; depth:9; metadata:ruleset community, service http;
reference:bugtraq,2294; reference:cve,2001-0251; classtype:webapplication-attack; sid:1047; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise directory listing attempt";
flow:to_server,established; content:"INDEX "; depth:6; metadata:ruleset
community, service http; reference:bugtraq,2285; reference:cve,2001-0250;
reference:nessus,10691; classtype:web-application-attack; sid:1048;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established;
content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Talentsoft Web+ internal IP Address access";
flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri;
content:"about"; distance:0; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1720;
reference:url,archives.neohapsis.com/archives/ntbugtraq/2000q3/0168.html; classtype:web-application-activity; sid:1096; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established;
content:"/webplus.cgi?"; nocase; http_uri;
content:"Script=/webplus/webping/webping.wml"; distance:0; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1725; classtype:web-application-attack; sid:1097;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SmartWin CyberOffice Shopping Cart access";
flow:to_server,established; content:"_private/shopping_cart.mdb";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1734; reference:cve,2000-0925; classtype:webapplication-attack; sid:1098; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1099; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established;
content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1100;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established;
content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header;
metadata:ruleset community, service http; classtype:web-applicationactivity; sid:1101; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nessus 1.X 404 probe"; flow:to_server,established;
content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset
community, service http; classtype:web-application-attack; sid:1102;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape admin passwd"; flow:to_server,established;
content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1579;
reference:nessus,10468; classtype:web-application-attack; sid:1103;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BigBrother access"; flow:to_server,established; content:"/bbhostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460;
classtype:attempted-recon; sid:1105; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Poll-it access"; flow:to_server,established;
content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mylog.phtml access"; flow:to_server,established;
content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,713; reference:cve,1999-0068;
reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /etc/passwd file access attempt"; flow:to_server,established;
content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1122; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ?PageServices access"; flow:to_server,established; content:"?
PageServices"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1063; reference:bugtraq,7621;
reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ecommerce check.txt access"; flow:to_server,established;
content:"/config/check.txt"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; classtype:attempted-recon;
sid:1124; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webcart access"; flow:to_server,established; content:"/webcart/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0610; reference:nessus,10298; classtype:attemptedrecon; sid:1125; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AuthChangeUrl access"; flow:to_server,established;
content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2110; reference:cve,1999-0407;
classtype:attempted-recon; sid:1126; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP convert.bas access"; flow:to_server,established;
content:"/scripts/convert.bas"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2025;
reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cpshost.dll access"; flow:to_server,established;
content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1811;
reference:bugtraq,4002; reference:cve,1999-0360; classtype:attemptedrecon; sid:1128; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .htaccess access"; flow:to_server,established;
content:".htaccess"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1129; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1130; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:1131; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP
Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP windmail.exe access"; flow:to_server,established;
content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1073; reference:cve,2000-0242;
reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webplus access"; flow:to_server,established; content:"/webplus?
script"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1174; reference:bugtraq,1720;
reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005;
classtype:attempted-recon; sid:1159; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape dir index wp"; flow:to_server,established; content:"?
wp-"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1063; reference:cve,2000-0236;
reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP piranha passwd.php3 access"; flow:to_server,established;
content:"/passwd.php3"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1149; reference:cve,2000-0322;
classtype:attempted-recon; sid:1161; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cart 32 AdminPwd access"; flow:to_server,established;
content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1153;
reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webdist.cgi access"; flow:to_server,established;
content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,374; reference:cve,1999-0039;
reference:nessus,10299; classtype:web-application-activity; sid:1163;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shopping cart access"; flow:to_server,established;
content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1983; reference:bugtraq,2049;
reference:cve,1999-0607; reference:cve,2000-1188; classtype:attemptedrecon; sid:1164; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established;
content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http;
reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006;
reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ws_ftp.ini access"; flow:to_server,established;
content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,547; reference:cve,1999-1078;
classtype:attempted-recon; sid:1166; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rpm_query access"; flow:to_server,established;
content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1036; reference:cve,2000-0192;
reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mall log order access"; flow:to_server,established;
content:"/mall_log_files/order.log"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2266;
reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bigconf.cgi access"; flow:to_server,established;
content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,778; reference:cve,1999-1550;
reference:nessus,10027; classtype:web-application-activity; sid:1172;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP architext_query.pl access"; flow:to_server,established;
content:"/ews/architext_query.pl"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2248;
reference:cve,1999-0279; reference:nessus,10064;
reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.t
xt; classtype:attempted-recon; sid:1173; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgibin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2002; reference:cve,1999-0260;
reference:nessus,10131; classtype:web-application-activity; sid:1174;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wwwboard.pl access"; flow:to_server,established;
content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1795; reference:bugtraq,649;
reference:cve,1999-0930; reference:cve,1999-0954; classtype:attemptedrecon; sid:1175; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise Server directory view";
flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1063; reference:cve,2000-0236; classtype:attemptedrecon; sid:1177; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum read access"; flow:to_server,established;
content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:1178; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum violation access"; flow:to_server,established;
content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2272; reference:cve,2000-1234;
classtype:attempted-recon; sid:1179; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP get32.exe access"; flow:to_server,established;
content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1485; reference:bugtraq,770;
reference:cve,1999-0885; reference:nessus,10011; classtype:attemptedrecon; sid:1180; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Annex Terminal DOS attempt"; flow:to_server,established;
content:"/ping?query="; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admin.php file upload attempt"; flow:to_server,established;
content:"/admin.php"; fast_pattern; nocase; http_uri;
content:"file_name="; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3361; reference:cve,2001-1032; classtype:attemptedadmin; sid:1300; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admin.php access"; flow:to_server,established;
content:"/admin.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3361; reference:bugtraq,7532;
reference:bugtraq,9270; reference:cve,2001-1032; classtype:attemptedrecon; sid:1301; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP console.exe access"; flow:to_server,established; content:"/cgibin/console.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3375; reference:cve,2001-1252;
classtype:attempted-recon; sid:1302; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cs.exe access"; flow:to_server,established; content:"/cgibin/cs.exe"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3375; reference:cve,2001-1252;
classtype:attempted-recon; sid:1303; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP txt2html.cgi access"; flow:to_server,established;
content:"/txt2html.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1304;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP txt2html.cgi directory traversal attempt";
flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only;
http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset
community, service http; classtype:web-application-attack; sid:1305;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP store.cgi access"; flow:to_server,established;
content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2385; reference:cve,2001-0305;
reference:nessus,10639; classtype:web-application-activity; sid:1307;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sendmessage.cgi access"; flow:to_server,established;
content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3673; reference:cve,2001-1100;
classtype:attempted-recon; sid:1308; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP zsh access"; flow:to_server,established; content:"/zsh";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:attempted-recon; sid:1309; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER
rwhoisd format string attempt"; flow:to_server,established; content:"-soa
%p"; metadata:ruleset community; reference:bugtraq,3474;
reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack;
sid:1323; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established;
content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcodedetect; sid:1324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow filler"; flow:to_server,established;
content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcodedetect; sid:1325; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established;
content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcodedetect; sid:1326; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00
01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14;
offset:8; metadata:ruleset community; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607;
classtype:shellcode-detect; sid:1327; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .htgroup access"; flow:to_server,established; content:".htgroup";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1374; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sadmind worm access"; flow:to_server,established; content:"GET x
HTTP/1.0"; depth:15; metadata:ruleset community, service http;
reference:url,www.cert.org/advisories/CA-2001-11.html;
classtype:attempted-recon; sid:1375; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP jrun directory browse attempt"; flow:to_server,established;
content:"/?.jsp"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3592; reference:cve,2001-1510; classtype:webapplication-attack; sid:1376; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp
bad file completion attempt"; flow:to_server,established; content:"~";
content:"["; distance:0; metadata:ruleset community, service ftp;
reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550;
reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack;
sid:1377; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp
bad file completion attempt"; flow:to_server,established; content:"~";
content:"{"; distance:0; metadata:ruleset community, service ftp;
reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550;
reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack;
sid:1378; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT
overflow attempt"; flow:to_server,established; content:"STAT"; nocase;
isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi";
metadata:ruleset community, service ftp; reference:bugtraq,3507;
reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021;
reference:cve,2003-0772; reference:cve,2011-0762;
reference:url,labs.defcom.com/adv/2001/def-2001-31.txt;
classtype:attempted-admin; sid:1379; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Form_VBScript.asp access"; flow:to_server,established;
content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1594; reference:bugtraq,1595;
reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060;
classtype:web-application-attack; sid:1380; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established;
content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri;
content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;)
# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap
parse overflow attempt"; flow:to_server,established; content:"PRIVMSG";
fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY";
nocase; isdataat:100,relative;
pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset
community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt;
classtype:misc-attack; sid:1382; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS
Microsoft Windows UPnP malformed advertisement"; flow:to_server;
content:"NOTIFY * "; fast_pattern:only; content:"LOCATION|3A|"; nocase;
detection_filter:track by_dst, count 10, seconds 1; metadata:ruleset
community; reference:bugtraq,3723; reference:cve,2001-0876;
reference:cve,2001-0877; reference:nessus,10829;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059;
classtype:misc-attack; sid:1384; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mod-plsql administration access"; flow:to_server,established;
content:"/admin_/"; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216;
reference:cve,2001-1217; reference:nessus,10849; classtype:webapplication-activity; sid:1385; rev:18;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL
raiserror possible buffer overflow"; flow:to_server,established;
content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32;
nocase; metadata:ruleset community; reference:bugtraq,3733;
reference:cve,2001-0542; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-060; classtype:attempted-user; sid:1386;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror
possible buffer overflow"; flow:to_server,established; content:"r|00|a|
00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,3733; reference:cve,20010542; reference:nessus,11217; classtype:attempted-user; sid:1387;
rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
Windows UPnP Location overflow attempt"; content:"Location";
fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?
[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /msadc/samples/ access"; flow:to_server,established;
content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,167; reference:cve,1999-0736;
reference:nessus,1007; classtype:web-application-attack; sid:1401;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS iissamples access"; flow:to_server,established;
content:"/iissamples/"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,11032; classtype:web-application-attack;
sid:1402; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AHG search.cgi access"; flow:to_server,established;
content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri;
content:"template="; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,3985; reference:cve,2002-2113;
classtype:web-application-activity; sid:1405; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP agora.cgi access"; flow:to_server,established;
content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3702; reference:bugtraq,3976;
reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836;
classtype:web-application-activity; sid:1406; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP smssend.php access"; flow:to_server,established;
content:"/smssend.php"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:webapplication-activity; sid:1407; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC
attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset
community; reference:bugtraq,4006; reference:cve,2002-0224;
reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP
community string buffer overflow attempt"; flow:to_server; content:"|02
01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp;
reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012;
reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-200203.html; classtype:misc-attack; sid:1409; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dcboard.cgi access"; flow:to_server,established;
content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2728; reference:cve,2001-0527;
reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public
access udp"; flow:to_server; content:"|06|public"; metadata:ruleset
community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088;
reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012;
reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public
access tcp"; flow:to_server,established; content:"public";
metadata:ruleset community, service snmp; reference:bugtraq,2112;
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212;
reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,20020013; classtype:attempted-recon; sid:1412; rev:20;)
asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:misc-activity; sid:1437; rev:27;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICYMULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established;
content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls";
within:50; fast_pattern; nocase; http_header; metadata:ruleset community,
service http; classtype:policy-violation; sid:1439; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICYMULTIMEDIA Icecast playlist redirection"; flow:to_client,established;
content:"Content-type|3A|"; nocase; http_header; content:"audio/xmpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset
community, service http; classtype:policy-violation; sid:1440; rev:17;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe";
flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2;
nocase; metadata:ruleset community; classtype:successful-admin; sid:1441;
rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow";
flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2;
nocase; metadata:ruleset community; classtype:successful-admin; sid:1442;
rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd";
flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2;
nocase; metadata:ruleset community; classtype:successful-admin; sid:1443;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get";
flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community;
classtype:bad-unknown; sid:1444; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE
FTP file_id.diz access possible warez site"; flow:to_server,established;
content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase;
metadata:ruleset community, service ftp; classtype:suspicious-filenamedetect; sid:1445; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy
root"; flow:to_server,established; content:"vrfy"; nocase;
content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi";
metadata:ruleset community, service smtp; classtype:attempted-recon;
sid:1446; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER
Microsoft Windows Terminal server RDP attempt";
flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|";
depth:11; metadata:ruleset community; reference:bugtraq,3099;
reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052;
classtype:protocol-command-decode; sid:1447; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER
Microsoft Windows Terminal server request attempt";
flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0
00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community;
reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663;
reference:nessus,10940; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-052; classtype:protocol-command-decode;
sid:1448; rev:19;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Vintra Mailserver expn *@"; flow:to_server,established; content:"expn";
fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi";
metadata:ruleset community, service smtp; reference:cve,1999-1200;
classtype:misc-attack; sid:1450; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP NPH-maillist access"; flow:to_server,established; content:"/nphmaillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2563; reference:cve,2001-0400;
reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP args.cmd access"; flow:to_server,established; content:"/args.cmd";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-1180; reference:nessus,11465; classtype:attemptedrecon; sid:1452; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AT-generated.cgi access"; flow:to_server,established;
content:"/AT-generated.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-1072;
classtype:attempted-recon; sid:1453; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wwwwais access"; flow:to_server,established; content:"/wwwwais";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,2001-0223; reference:nessus,10597; classtype:attemptedrecon; sid:1454; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar.pl access"; flow:to_server,established;
content:"calendar"; nocase; http_uri; pcre:"/calendar(|[_]admin)\.pl/Ui"; metadata:ruleset community, service http;
reference:bugtraq,1215; reference:cve,2000-0432; classtype:attemptedrecon; sid:1455; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calender_admin.pl access"; flow:to_server,established;
content:"/calender_admin.pl"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,2000-0432;
reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP user_update_admin.pl access"; flow:to_server,established;
content:"/user_update_admin.pl"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1486;
reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP user_update_passwd.pl access"; flow:to_server,established;
content:"/user_update_passwd.pl"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1486;
reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-histlog.sh access"; flow:to_server,established; content:"/bbhistlog.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,142; reference:cve,1999-1462;
reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bbhistsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,142; reference:cve,1999-1462;
classtype:attempted-recon; sid:1460; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bbrep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,142; reference:cve,1999-1462;
classtype:attempted-recon; sid:1461; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bbreplog.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,142; reference:cve,1999-1462;
classtype:attempted-recon; sid:1462; rev:17;)
# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL
IRC message"; flow:established; dsize:<140; content:"PRIVMSG ";
metadata:ruleset community; classtype:policy-violation; sid:1463;
rev:15;)
# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE oracle one hour install"; flow:to_client,established;
content:"Oracle Applications One-Hour Install"; metadata:ruleset
community; reference:nessus,10737; classtype:bad-unknown; sid:1464;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP auktion.cgi access"; flow:to_server,established;
content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2367; reference:cve,2001-0212;
reference:nessus,10638; classtype:web-application-activity; sid:1465;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiforum.pl access"; flow:to_server,established;
content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1963; reference:cve,2000-1171;
reference:nessus,10552; classtype:web-application-activity; sid:1466;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP directorypro.cgi access"; flow:to_server,established;
content:"/directorypro.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2793;
reference:cve,2001-0780; reference:nessus,10679; classtype:webapplication-activity; sid:1467; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established;
content:"/shopper.cgi"; fast_pattern; nocase; http_uri;
content:"newpage=../"; nocase; metadata:ruleset community, service http;
reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533;
classtype:web-application-attack; sid:1468; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Web Shopper shopper.cgi access"; flow:to_server,established;
content:"/shopper.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1776; reference:cve,2000-0922;
classtype:attempted-recon; sid:1469; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP listrec.pl access"; flow:to_server,established;
content:"/listrec.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3328; reference:cve,2001-0997;
reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailnews.cgi access"; flow:to_server,established;
content:"/mailnews.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2391; reference:cve,2001-0271;
reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP book.cgi access"; flow:to_server,established; content:"/book.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721;
classtype:web-application-activity; sid:1472; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newsdesk.cgi access"; flow:to_server,established;
content:"/newsdesk.cgi"; fast_pattern:only; http_uri; content:"../";
http_raw_uri; metadata:ruleset community, service http;
reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586;
classtype:attempted-recon; sid:1473; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cal_make.pl access"; flow:to_server,established;
content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2663; reference:cve,2001-0463;
reference:nessus,10664; classtype:web-application-activity; sid:1474;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailit.pl access"; flow:to_server,established;
content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10417; classtype:attemptedrecon; sid:1475; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sdbsearch.cgi access"; flow:to_server,established;
content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1658; reference:cve,2001-1130;
reference:nessus,10503; reference:nessus,10720; classtype:attemptedrecon; sid:1476; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt";
flow:to_server,established; content:"/swc"; nocase; http_uri;
content:"ctr="; distance:0; nocase; http_uri; urilen:>500;
metadata:ruleset community, service http; reference:bugtraq,6581;
reference:nessus,10493; reference:url,osvdb.org/show/osvdb/392;
classtype:attempted-user; sid:1478; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established;
content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,2890;
reference:cve,2001-0805; reference:nessus,10696; classtype:webapplication-attack; sid:1479; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttawebtop.cgi access"; flow:to_server,established;
content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP server-status access"; flow:to_server,established;
content:"/server-status"; http_uri; metadata:ruleset community, service
http; reference:url,httpd.apache.org/docs/mod/mod_info.html;
classtype:web-application-activity; sid:1521; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?";
nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,4147;
reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307;
reference:nessus,10875; classtype:web-application-attack; sid:1522;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306;
reference:cve,2002-0307; reference:nessus,10875; classtype:webapplication-activity; sid:1523; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Axis Storpoint CD attempt"; flow:to_server,established;
content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community,
service http; reference:bugtraq,1025; reference:cve,2000-0191;
reference:nessus,10023; classtype:web-application-attack; sid:1524;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Axis Storpoint CD access"; flow:to_server,established;
content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1025; reference:cve,2000-0191;
reference:nessus,10023; classtype:web-application-activity; sid:1525;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP basilix sendmail.inc access"; flow:to_server,established;
content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2198; reference:cve,2001-1044;
reference:nessus,10601; classtype:web-application-activity; sid:1526;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP basilix mysql.class access"; flow:to_server,established;
content:"/class/mysql.class"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,2198; reference:cve,2001-1044;
reference:nessus,10601; classtype:web-application-activity; sid:1527;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BBoard access"; flow:to_server,established;
content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1459; reference:cve,2000-0629;
reference:nessus,10507; classtype:web-application-activity; sid:1528;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi";
metadata:ruleset community, service ftp; reference:cve,1999-0838;
reference:cve,2001-0755; reference:cve,2001-0770; classtype:attemptedadmin; sid:1529; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hist.sh attempt"; flow:to_server,established; content:"/bbhist.sh?"; nocase; http_uri; content:"HISTFILE=../.."; distance:0;
nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025;
classtype:web-application-attack; sid:1531; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hostscv.sh attempt"; flow:to_server,established; content:"/bbhostsvc.sh?"; fast_pattern:only; http_uri; content:"HOSTSVC"; nocase;
http_uri; content:"../.."; distance:0; http_raw_uri; metadata:ruleset
community, service http; reference:bugtraq,1455; reference:cve,2000-0638;
reference:nessus,10460; classtype:web-application-attack; sid:1532;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hostscv.sh access"; flow:to_server,established; content:"/bbhostsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1455; reference:cve,2000-0638;
reference:nessus,10460; classtype:web-application-activity; sid:1533;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP agora.cgi attempt"; flow:to_server,established;
content:"/store/agora.cgi?"; nocase; http_uri;
content:"cart_id=<SCRIPT>"; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3702;
reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215;
reference:nessus,10836; classtype:web-application-attack; sid:1534;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bizdbsearch access"; flow:to_server,established; content:"/bizdb1search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1104; reference:cve,2000-0287;
reference:nessus,10383; classtype:web-application-activity; sid:1535;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar_admin.pl arbitrary command execution attempt";
flow:to_server,established; content:"/calendar_admin.pl?"; nocase;
http_uri; content:"config=|7C|"; distance:0; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1215;
reference:cve,2000-0432; reference:nessus,10506; classtype:webapplication-attack; sid:1536; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar_admin.pl access"; flow:to_server,established;
content:"/calendar_admin.pl"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1215; reference:cve,2000-0432;
reference:nessus,10506; classtype:web-application-activity; sid:1537;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
AUTHINFO USER overflow attempt"; flow:to_server,established;
content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase;
isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi";
metadata:ruleset community; reference:bugtraq,1156; reference:cve,20000341; reference:nessus,10388; classtype:attempted-admin; sid:1538;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-bin/ls access"; flow:to_server,established; content:"/cgibin/ls"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,936; reference:cve,2000-0079;
reference:nessus,10037; classtype:web-application-activity; sid:1539;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established;
content:"Mode=debug"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-0760; reference:nessus,10797;
classtype:web-application-activity; sid:1540; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER
version query"; flow:to_server,established; content:"version";
metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgimail access"; flow:to_server,established; content:"/cgimail";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721;
classtype:web-application-activity; sid:1542; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiwrap access"; flow:to_server,established; content:"/cgiwrap";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777;
reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,20010987; reference:nessus,10041; classtype:web-application-activity;
sid:1543; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cisco Catalyst command execution attempt";
flow:to_server,established; content:"/exec/show/config/cr";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545;
classtype:web-application-activity; sid:1544; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
Cisco denial of service attempt"; flow:to_server,established; dsize:1;
content:"|13|"; metadata:ruleset community, service http; classtype:webapplication-attack; sid:1545; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cisco HTTP double-percent DOS attempt";
flow:to_server,established; content:"/%%"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1154;
reference:cve,2000-0380; reference:nessus,10387; classtype:webapplication-attack; sid:1546; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csSearch.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/csSearch.cgi"; http_uri;
content:"setup="; content:"`"; content:"`"; distance:1; metadata:ruleset
community, service http; reference:bugtraq,4368; reference:cve,2002-0495;
reference:nessus,10924; classtype:web-application-attack; sid:1547;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csSearch.cgi access"; flow:to_server,established;
content:"/csSearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4368; reference:cve,2002-0495;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test.cgi access"; flow:to_server,established; content:"/test.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1646; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl.exe command attempt"; flow:to_server,established;
content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-0509; reference:nessus,10173;
reference:url,www.cert.org/advisories/CA-1996-11.html;
classtype:attempted-recon; sid:1648; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl command attempt"; flow:to_server,established;
content:"/perl?"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-0509; reference:nessus,10173;
reference:url,www.cert.org/advisories/CA-1996-11.html;
classtype:attempted-recon; sid:1649; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tst.bat access"; flow:to_server,established; content:"/tst.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014;
classtype:web-application-activity; sid:1650; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP environ.pl access"; flow:to_server,established;
content:"/environ.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:1651;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP campas attempt"; flow:to_server,established; content:"/campas?|
0A|"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1975; reference:cve,1999-0146;
reference:nessus,10035; classtype:web-application-attack; sid:1652;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cart32.exe access"; flow:to_server,established;
content:"/cart32.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1153; reference:nessus,10389;
classtype:web-application-activity; sid:1654; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pfdispaly.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/pfdispaly.cgi?"; nocase; http_uri;
content:"'"; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-0270; reference:nessus,10174;
classtype:web-application-attack; sid:1655; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pfdispaly.cgi access"; flow:to_server,established;
content:"/pfdispaly.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,64; reference:cve,1999-0270;
reference:nessus,10174; classtype:web-application-activity; sid:1656;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pagelog.cgi directory traversal attempt";
flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri;
content:"name=../"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,1864; reference:cve,2000-0940;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-dos/ access"; flow:to_server,established; content:"/cgidos/"; http_uri; content:"/cgi-dos/ HTTP"; fast_pattern:only;
metadata:ruleset community, service http; classtype:web-applicationattack; sid:1669; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /home/ftp access"; flow:to_server,established;
content:"/home/ftp"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,11032; classtype:webapplication-activity; sid:1670; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /home/www access"; flow:to_server,established;
content:"/home/www"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,11032; classtype:webapplication-activity; sid:1671; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~
attempt"; flow:to_server,established; content:"CWD"; fast_pattern:only;
pcre:"/^CWD\s+~/smi"; metadata:ruleset community, service ftp;
reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421;
classtype:denial-of-service; sid:1672; rev:21;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established;
content:"EXECUTE_SYSTEM"; nocase; metadata:ruleset community;
classtype:system-call-detect; sid:1673; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE connect_data remote version detection attempt";
flow:to_server,established; content:"connect_data|28|command=version|
29|"; nocase; metadata:ruleset community; classtype:protocol-commanddecode; sid:1674; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE misparsed login response"; flow:to_client,established;
content:"description=|28|"; nocase; content:!"connect_data=|28|sid=";
nocase; content:!"address=|28|protocol=tcp"; nocase; metadata:ruleset
community; classtype:suspicious-login; sid:1675; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select union attempt"; flow:to_server,established; content:"select
"; nocase; content:" union "; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1676; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select like '%' attempt"; flow:to_server,established; content:"
where "; nocase; content:" like '%'"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1677; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select like '%' attempt backslash escaped";
flow:to_server,established; content:" where "; nocase; content:" like |
22|%|22|"; nocase; metadata:ruleset community; classtype:protocolcommand-decode; sid:1678; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE describe attempt"; flow:to_server,established; content:"describe
"; nocase; metadata:ruleset community; classtype:protocol-command-decode;
sid:1679; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_constraints access"; flow:to_server,established;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter table attempt"; flow:to_server,established; content:"alter
table"; nocase; metadata:ruleset community; classtype:protocol-commanddecode; sid:1694; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE truncate table attempt"; flow:to_server,established;
content:"truncate table"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1695; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE create database attempt"; flow:to_server,established;
content:"create database"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1696; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter database attempt"; flow:to_server,established;
content:"alter database"; nocase; metadata:ruleset community;
classtype:protocol-command-decode; sid:1697; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP imagemap.exe access"; flow:to_server,established;
content:"/imagemap.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,739; reference:cve,1999-0951;
reference:nessus,10122; classtype:web-application-activity; sid:1700;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar-admin.pl access"; flow:to_server,established;
content:"/calendar-admin.pl"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,1215;
reference:cve,2000-0432; reference:nessus,10506; classtype:webapplication-activity; sid:1701; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Amaya templates sendtemp.pl access"; flow:to_server,established;
content:"/sendtemp.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2504; reference:cve,2001-0272;
classtype:web-application-activity; sid:1702; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP auktion.cgi directory traversal attempt";
flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase;
http_uri; content:"menue=../../"; nocase; metadata:ruleset community,
service http; reference:bugtraq,2367; reference:cve,2001-0212;
reference:nessus,10638; classtype:web-application-attack; sid:1703;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cal_make.pl directory traversal attempt";
flow:to_server,established; content:"/cal_make.pl"; nocase; http_uri;
content:"p0=../../"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,2663; reference:cve,2001-0463;
reference:nessus,10664; classtype:web-application-attack; sid:1704;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP echo.bat arbitrary command execution attempt";
flow:to_server,established; content:"/echo.bat"; http_uri; content:"&";
metadata:ruleset community, service http; reference:bugtraq,1002;
reference:cve,2000-0213; reference:nessus,10246; classtype:webapplication-attack; sid:1705; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP echo.bat access"; flow:to_server,established; content:"/echo.bat";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246;
classtype:web-application-activity; sid:1706; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP hello.bat arbitrary command execution attempt";
flow:to_server,established; content:"/hello.bat"; http_uri; content:"&";
metadata:ruleset community, service http; reference:bugtraq,1002;
reference:cve,2000-0213; reference:nessus,10246; classtype:webapplication-attack; sid:1707; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP hello.bat access"; flow:to_server,established;
content:"/hello.bat"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1002; reference:cve,2000-0213;
reference:nessus,10246; classtype:web-application-activity; sid:1708;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ad.cgi access"; flow:to_server,established; content:"/ad.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464;
classtype:web-application-activity; sid:1709; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bbs_forum.cgi access"; flow:to_server,established;
content:"/bbs_forum.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2177; reference:cve,2001-0123;
reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:webapplication-activity; sid:1710; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bsguest.cgi access"; flow:to_server,established;
content:"/bsguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2159; reference:cve,2001-0099;
classtype:web-application-activity; sid:1711; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bslist.cgi access"; flow:to_server,established;
content:"/bslist.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2160; reference:cve,2001-0100;
classtype:web-application-activity; sid:1712; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgforum.cgi access"; flow:to_server,established;
content:"/cgforum.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1951; reference:cve,2000-1132;
classtype:web-application-activity; sid:1713; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newdesk access"; flow:to_server,established; content:"/newdesk";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1714; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP register.cgi access"; flow:to_server,established;
content:"/register.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2157; reference:cve,2001-0076;
classtype:web-application-activity; sid:1715; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP gbook.cgi access"; flow:to_server,established;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS doctodep.btr access"; flow:to_server,established;
content:"doctodep.btr"; http_uri; metadata:ruleset community, service
http; classtype:web-application-activity; sid:1726; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SGI InfoSearch fname access"; flow:to_server,established;
content:"/infosrch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1031; reference:cve,2000-0207;
classtype:web-application-activity; sid:1727; rev:20;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL
IRC channel join"; flow:to_server,established; dsize:<140; content:"JOIN
"; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policyviolation; sid:1729; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ustorekeeper.pl directory traversal attempt";
flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri;
content:"file=../../"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,2536; reference:cve,2001-0466;
reference:nessus,10645; classtype:web-application-attack; sid:1730;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP a1stats access"; flow:to_server,established; content:"/a1stats/";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669;
classtype:web-application-activity; sid:1731; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,205;
reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community, service sunrpc; reference:bugtraq,205;
reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER
overflow attempt"; flow:to_server,established; content:"USER"; nocase;
isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,10078;
reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504;
reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044;
reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750;
reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510;
reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,19991539; reference:cve,2000-0479; reference:cve,2000-0656;
reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,20001194; reference:cve,2001-0256; reference:cve,2001-0794;
reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,20021522; reference:cve,2003-0271; reference:cve,2004-0286;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established;
content:"/dostuff.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4618; reference:cve,2002-0599;
classtype:web-application-activity; sid:1743; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SecureSite authentication bypass attempt";
flow:to_server,established; content:"secure_site, ok"; nocase;
metadata:ruleset community, service http; reference:bugtraq,4621;
classtype:web-application-attack; sid:1744; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Messagerie supp_membre.php access"; flow:to_server,established;
content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4635; classtype:webapplication-activity; sid:1745; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,4674;
reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951;
classtype:rpc-portmap-decode; sid:1746; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
cachefsd request TCP"; flow:to_server,established; content:"|00 01 86
A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community, service sunrpc; reference:bugtraq,4674;
reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951;
classtype:rpc-portmap-decode; sid:1747; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS users.xml access"; flow:to_server,established; content:"/users.xml";
nocase; http_uri; metadata:ruleset community, service http;
classtype:web-application-activity; sid:1750; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER
cachefsd buffer overflow attempt"; flow:to_server,established;
isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,4631;
reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack;
sid:1751; rev:12;)
# alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"POLICY-SOCIAL AIM
AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|
AddExternalApp?"; fast_pattern:only; metadata:ruleset community;
reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack;
sid:1752; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS as_web.exe access"; flow:to_server,established;
content:"/as_web.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4670; reference:cve,2002-1727;
reference:cve,2002-1728; classtype:web-application-activity; sid:1753;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS as_web4.exe access"; flow:to_server,established;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.dll directory listing attempt"; flow:to_server,established;
content:"/search.dll"; http_uri; content:"query=%00"; metadata:ruleset
community, service http; reference:bugtraq,1684; reference:cve,2000-0835;
reference:nessus,10514; classtype:web-application-attack; sid:1766;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.dll access"; flow:to_server,established;
content:"/search.dll"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1684; reference:cve,2000-0835;
reference:nessus,10514; classtype:web-application-activity; sid:1767;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .DS_Store access"; flow:to_server,established;
content:"/.DS_Store"; http_uri; metadata:ruleset community, service http;
reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:webapplication-activity; sid:1769; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .FBCIndex access"; flow:to_server,established;
content:"/.FBCIndex"; http_uri; metadata:ruleset community, service http;
reference:url,www.securiteam.com/securitynews/5LP0O005FS.html;
classtype:web-application-activity; sid:1770; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec
PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C
00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80
01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00
01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04
00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|";
fast_pattern:only; metadata:ruleset community; classtype:protocolcommand-decode; sid:1771; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS pbserver access"; flow:to_server,established;
content:"/pbserver/pbserver.dll"; nocase; http_uri; metadata:ruleset
community, service http; reference:cve,2000-1089;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094;
classtype:web-application-activity; sid:1772; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP php.exe access"; flow:to_server,established; content:"/php.exe";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html;
classtype:web-application-activity; sid:1773; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb_smilies.php access"; flow:to_server,established;
content:"/bb_smilies.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http;
reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PH
P-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL
root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85
04 00 00 80|root|00|"; fast_pattern:only; metadata:ruleset community,
service mysql; classtype:protocol-command-decode; sid:1775; rev:9;)
flow:to_server,established; content:"/examples/servlet/SnoopServlet";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046;
classtype:web-application-activity; sid:1830; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP jigsaw dos attempt"; flow:to_server,established;
content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:ruleset
community, service http; reference:bugtraq,5258; reference:cve,2002-1052;
reference:nessus,11047; classtype:web-application-attack; sid:1831;
rev:12;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ
forced user addition"; flow:established,to_client; content:"Content-Type|
3A| application/x-icq"; fast_pattern:only; content:"[ICQ User]";
metadata:ruleset community; reference:bugtraq,3226; reference:cve,20011305; classtype:policy-violation; sid:1832; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHP-Wiki cross site scripting attempt";
flow:to_server,established; content:"/modules.php?"; http_uri;
content:"name=Wiki"; fast_pattern; nocase; http_uri; content:"<script";
nocase; http_uri; metadata:ruleset community, service http;
reference:bugtraq,5254; reference:cve,2002-1070; classtype:webapplication-attack; sid:1834; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Macromedia SiteSpring cross site scripting attempt";
flow:to_server,established; content:"/error/500error.jsp"; nocase;
http_uri; content:"et="; http_uri; content:"<script"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,5249; reference:cve,2002-1027; classtype:webapplication-attack; sid:1835; rev:14;)
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH
server banner overflow"; flow:to_client,established; content:"SSH-";
nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism";
metadata:ruleset community; reference:bugtraq,5287; reference:cve,20021059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailman cross site scripting attempt"; flow:to_server,established;
content:"/mailman/"; nocase; http_uri; content:"?"; http_uri;
content:"info="; http_uri; content:"<script"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,5298; reference:cve,2002-0855; reference:nessus,14984;
classtype:web-application-attack; sid:1839; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA
Oracle Javascript document.domain attempt"; flow:to_client,established;
file_data; content:"document.domain|28|"; nocase; metadata:ruleset
community, service http; reference:bugtraq,5346; reference:cve,2002-0815;
classtype:attempted-user; sid:1840; rev:15;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSERFIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt";
flow:to_client,established; file_data; content:"javascript|3A|//";
fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset
community, service http; reference:bugtraq,5293; reference:cve,2002-2314;
reference:url,osvdb.org/show/osvdb/60255; classtype:attempted-user;
sid:1841; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP active.log access"; flow:to_server,established;
content:"/active.log"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1497; reference:cve,2000-0642;
reference:nessus,10470; classtype:web-application-activity; sid:1851;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP robots.txt access"; flow:to_server,established;
content:"/robots.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10302; classtype:webapplication-activity; sid:1852; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR
win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44";
depth:14; metadata:ruleset community; reference:cve,2000-0138;
reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:12;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP
Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0;
content:"niggahbitch"; metadata:ruleset community; reference:cve,20000138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1854; rev:13;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP
Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0;
content:"skillz"; metadata:ruleset community; reference:cve,2000-0138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1855; rev:13;)
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP
Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0;
content:"ficken"; metadata:ruleset community; reference:cve,2000-0138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
classtype:attempted-dos; sid:1856; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP robot.txt access"; flow:to_server,established;
content:"/robot.txt"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10302; classtype:webapplication-activity; sid:1857; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CISCO PIX Firewall Manager directory traversal attempt";
flow:to_server,established; content:"/pixfir~1/how_to_login.html";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819;
classtype:misc-attack; sid:1858; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP
Oracle JavaServer default password login attempt";
flow:to_server,established; content:"/servlet/admin";
content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community;
reference:nessus,10995; classtype:default-login-attempt; sid:1859;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP
Linksys router default password login attempt";
flow:to_server,established; content:"Authorization|3A|"; nocase;
http_header;
pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP oracle web application server access"; flow:to_server,established;
content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1053; reference:cve,2000-0169;
reference:nessus,10348; classtype:web-application-activity; sid:1880;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bad HTTP/1.1 request, Potentially worm attack";
flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|";
depth:18; metadata:ruleset community, service http;
reference:url,securityresponse.symantec.com/avcenter/security/Content/200
2.09.13.html; classtype:web-application-activity; sid:1881; rev:12;)
# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
id check returned userid"; content:"uid="; nocase; content:" gid=";
distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:ruleset
community; classtype:bad-unknown; sid:1882; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL
Worm traffic"; flow:to_server,established; content:"TERM=xterm";
fast_pattern:only; metadata:ruleset community, service ssl;
reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:webapplication-attack; sid:1887; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE
CPWD overflow attempt"; flow:established,to_server; content:"SITE";
nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service
ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:miscattack; sid:1888; rev:14;)
# alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC
slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|";
depth:10; metadata:ruleset community;
reference:url,isc.incidents.org/analysis.html?id=167;
reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojanactivity; sid:1889; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
status GHBN format string attack"; flow:to_server; content:"|00 01 86
B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x
%x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,20000666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
status GHBN format string attack"; flow:to_server,established; content:"|
00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4;
distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community; reference:bugtraq,1480; reference:cve,20000666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null
community string attempt"; content:"|04 01 00|"; depth:15; offset:5;
metadata:ruleset community, service snmp; reference:bugtraq,2112;
reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack;
sid:1892; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP
missing community string attempt"; content:"0"; depth:1; content:"|02|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP MsmMask.exe attempt"; flow:to_server,established;
content:"/MsmMask.exe"; http_uri; content:"mask="; metadata:ruleset
community, service http; reference:nessus,11163; classtype:webapplication-attack; sid:2058; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP MsmMask.exe access"; flow:to_server,established;
content:"/MsmMask.exe"; http_uri; metadata:ruleset community, service
http; reference:nessus,11163; classtype:web-application-activity;
sid:2059; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP DB4Web access"; flow:to_server,established; content:"/DB4Web/";
http_uri; metadata:ruleset community, service http;
reference:nessus,11180; classtype:web-application-activity; sid:2060;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat null byte directory listing attempt";
flow:to_server,established; content:"|00|.jsp"; http_uri;
metadata:ruleset community, service http; reference:bugtraq,2518;
reference:bugtraq,6721; reference:cve,2003-0042; reference:nessus,11438;
classtype:web-application-attack; sid:2061; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP iPlanet .perf access"; flow:to_server,established;
content:"/.perf"; http_uri; metadata:ruleset community, service http;
reference:nessus,11220; classtype:web-application-activity; sid:2062;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Demarc SQL injection attempt"; flow:to_server,established;
content:"/dm/demarc"; http_uri; content:"s_key="; content:"'";
distance:0; content:"'"; distance:1; content:"'"; distance:0;
metadata:ruleset community, service http; reference:bugtraq,4520;
reference:cve,2002-0539; classtype:web-application-activity; sid:2063;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .csp script source download attempt";
flow:to_server,established; content:".csp."; http_uri; metadata:ruleset
community, service http; classtype:web-application-attack; sid:2065;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .pl script source download attempt";
flow:to_server,established; content:".pl"; http_uri; content:".pl";
content:"."; within:1; metadata:ruleset community, service http;
reference:bugtraq,6841; reference:cve,2003-1408; classtype:webapplication-attack; sid:2066; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .exe script source download attempt";
flow:to_server,established; content:".exe"; http_uri; content:".exe";
content:"."; within:1; metadata:ruleset community, service http;
reference:bugtraq,6841; reference:cve,2003-1408; classtype:webapplication-attack; sid:2067; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP BitKeeper arbitrary command attempt"; flow:to_server,established;
content:"/diffs/"; http_uri; content:"'"; content:"|3B|"; distance:0;
content:"'"; distance:1; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phpBB privmsg.php access"; flow:to_server,established;
content:"/privmsg.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6634; reference:cve,2003-1530;
classtype:web-application-activity; sid:2078; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,1372;
reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmapdecode; sid:2079; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86
A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community, service sunrpc; reference:bugtraq,1372;
reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmapdecode; sid:2080; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,5072;
reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmapdecode; sid:2081; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86
A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
metadata:ruleset community, service sunrpc; reference:bugtraq,5072;
reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmapdecode; sid:2082; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC
rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h";
depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4;
content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community;
reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359;
classtype:rpc-portmap-decode; sid:2083; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC
rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|
00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4;
distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community; reference:bugtraq,5072; reference:bugtraq,5075;
reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP parse_xml.cgi access"; flow:to_server,established;
content:"/parse_xml.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6954; reference:bugtraq,6955;
reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-016;
classtype:web-application-activity; sid:2133; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS register.asp access"; flow:to_server,established;
content:"/register.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,11621; classtype:web-application-activity;
sid:2134; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard.mdb access"; flow:to_server,established;
content:"/philboard.mdb"; http_uri; metadata:ruleset community, service
http; reference:nessus,11682; classtype:web-application-activity;
sid:2135; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard_admin.asp authentication bypass attempt";
flow:to_server,established; content:"/philboard_admin.asp"; http_uri;
content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0;
metadata:ruleset community, service http; reference:bugtraq,7739;
reference:nessus,11675; classtype:web-application-attack; sid:2136;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard_admin.asp access"; flow:to_server,established;
content:"/philboard_admin.asp"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,7739; reference:nessus,11675;
classtype:web-application-activity; sid:2137; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP logicworks.ini access"; flow:to_server,established;
content:"/logicworks.ini"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,6996; reference:cve,2003-1383;
reference:nessus,11639; classtype:web-application-activity; sid:2138;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP /*.shtml access"; flow:to_server,established; content:"/*.shtml";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604;
classtype:web-application-activity; sid:2139; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP p-news.php access"; flow:to_server,established; content:"/pnews.php"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:nessus,11669; classtype:web-application-activity;
sid:2140; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shoutbox.php directory traversal attempt";
flow:to_server,established; content:"/shoutbox.php"; http_uri;
content:"conf="; content:"../"; distance:0; metadata:ruleset community,
service http; reference:nessus,11668; classtype:web-application-attack;
sid:2141; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shoutbox.php access"; flow:to_server,established;
content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf=";
nocase; http_uri; metadata:ruleset community, service http;
reference:nessus,11668; classtype:web-application-activity; sid:2142;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP b2 cafelog gm-2-b2.php remote file include attempt";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%";
depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56;
content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5;
nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1;
distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1;
distance:21; metadata:ruleset community, service netbios-ssn;
classtype:attempted-dos; sid:2191; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CSMailto.cgi access"; flow:to_server,established;
content:"/CSMailto.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:bugtraq,6265;
reference:cve,2002-0749; reference:nessus,11748; classtype:webapplication-activity; sid:2194; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alert.cgi access"; flow:to_server,established;
content:"/alert.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4211; reference:bugtraq,4579;
reference:cve,2002-0346; reference:nessus,11748; classtype:webapplication-activity; sid:2195; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP catgy.cgi access"; flow:to_server,established;
content:"/catgy.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,3714; reference:bugtraq,4579;
reference:cve,2001-1212; reference:nessus,11748; classtype:webapplication-activity; sid:2196; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvsview2.cgi access"; flow:to_server,established;
content:"/cvsview2.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:bugtraq,5517;
reference:cve,2003-0153; reference:nessus,11748; classtype:webapplication-activity; sid:2197; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvslog.cgi access"; flow:to_server,established;
content:"/cvslog.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:bugtraq,5517;
reference:cve,2003-0153; reference:nessus,11748; classtype:webapplication-activity; sid:2198; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP multidiff.cgi access"; flow:to_server,established;
content:"/multidiff.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:bugtraq,5517;
reference:cve,2003-0153; reference:nessus,11748; classtype:webapplication-activity; sid:2199; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dnewsweb.cgi access"; flow:to_server,established;
content:"/dnewsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1172; reference:bugtraq,4579;
reference:cve,2000-0423; reference:nessus,11748; classtype:webapplication-activity; sid:2200; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Matt Wright download.cgi access"; flow:to_server,established;
content:"/download.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,4579; reference:cve,1999-1377;
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; reference:nessus,11316; classtype:attemptedadmin; sid:2261; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail SEND FROM prescan too long addresses overflow";
flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only;
pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
{200}/smi"; metadata:ruleset community, service smtp;
reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499;
classtype:misc-attack; sid:2262; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail SAML FROM prescan too many addresses overflow";
flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only;
pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail SAML FROM prescan too long addresses overflow";
flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only;
pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
{200}/smi"; metadata:ruleset community, service smtp;
reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499;
classtype:misc-attack; sid:2264; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail SOML FROM prescan too many addresses overflow";
flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only;
pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991;
reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail SOML FROM prescan too long addresses overflow";
flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only;
pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
{200}/smi"; metadata:ruleset community, service smtp;
reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499;
classtype:misc-attack; sid:2266; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_logout.php access";
flow:to_server,established; content:"/admin_logout.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2292; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_password.php access";
flow:to_server,established; content:"/admin_password.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2293; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_preview.php access";
flow:to_server,established; content:"/admin_preview.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2294; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_settings.php access";
flow:to_server,established; content:"/admin_settings.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2295; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_stats.php access"; flow:to_server,established;
content:"/admin_stats.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8890; reference:cve,2003-1178;
reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,20031181; reference:nessus,11487; classtype:web-application-activity;
sid:2296; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_templates_misc.php access";
flow:to_server,established; content:"/admin_templates_misc.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2297; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_templates.php access";
flow:to_server,established; content:"/admin_templates.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487;
classtype:web-application-activity; sid:2298; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_tpl_misc_new.php access";
flow:to_server,established; content:"/admin_tpl_misc_new.php";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179;
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS non-relative path error response";
flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot
make directory CVS in /"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947;
classtype:misc-attack; sid:2317; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS
non-relative path access attempt"; flow:to_server,established;
content:"Argument"; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR";
metadata:ruleset community; reference:bugtraq,9178; reference:cve,20030977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola
PASS overflow attempt"; flow:to_server,established; content:"PASS";
fast_pattern:only; pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset
community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola
USER overflow attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; pcre:"/^USER\s[^\n]{49}/smi"; metadata:ruleset
community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS foxweb.exe access"; flow:to_server,established;
content:"/foxweb.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,11939; classtype:web-application-activity;
sid:2321; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS foxweb.dll access"; flow:to_server,established;
content:"/foxweb.dll"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,11939; classtype:web-application-activity;
sid:2322; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP iSoft-Solutions QuickStore shopping cart quickstore.cgi access";
flow:to_server,established; content:"/quickstore.cgi"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,9282; reference:nessus,11975; classtype:webapplication-activity; sid:2323; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS VP-ASP shopsearch.asp access"; flow:to_server,established;
content:"/shopsearch.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,9133; reference:bugtraq,9134;
reference:nessus,11942; classtype:web-application-activity; sid:2324;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established;
content:"/ShopDisplayProducts.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9133; reference:bugtraq,9134;
reference:nessus,11942; classtype:web-application-activity; sid:2325;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS sgdynamo.exe access"; flow:to_server,established;
content:"/sgdynamo.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,4720; reference:cve,2002-0375;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView search.php access"; flow:to_server,established;
content:"/search.php"; nocase; http_uri; content:"action=soundex";
fast_pattern; nocase; http_uri; content:"firstname="; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,9369;
reference:cve,2004-0032; classtype:web-application-activity; sid:2345;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myPHPNuke chatheader.php access"; flow:to_server,established;
content:"/chatheader.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6544; classtype:webapplication-activity; sid:2346; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myPHPNuke partner.php access"; flow:to_server,established;
content:"/partner.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6544; classtype:webapplication-activity; sid:2347; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IdeaBox cord.php file include"; flow:to_server,established;
content:"/index.php"; nocase; http_uri; content:"ideaDir=";
fast_pattern:only; content:"cord.php"; nocase; metadata:ruleset
community, service http; reference:bugtraq,7488; classtype:webapplication-activity; sid:2353; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IdeaBox notification.php file include";
flow:to_server,established; content:"/index.php"; nocase; http_uri;
content:"gorumDir="; fast_pattern:only; content:"notification.php";
nocase; metadata:ruleset community, service http; reference:bugtraq,7488;
classtype:web-application-activity; sid:2354; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Board emailer.php file include";
flow:to_server,established; content:"/ad_member.php"; fast_pattern;
nocase; http_uri; content:"emailer.php"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,7204;
classtype:web-application-activity; sid:2355; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebChat db_mysql.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"db_mysql.php"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,7000; reference:cve,2007-0485;
classtype:web-application-attack; sid:2356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebChat english.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"english.php"; fast_pattern:only; metadata:ruleset community,
service http; reference:bugtraq,7000; reference:cve,2007-0485;
classtype:web-application-attack; sid:2357; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Typo3 translations.php file include"; flow:to_server,established;
content:"/translations.php"; fast_pattern; nocase; http_uri;
content:"ONLY="; nocase; metadata:ruleset community, service http;
reference:bugtraq,6984; classtype:web-application-attack; sid:2358;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Board ipchat.php file include";
flow:to_server,established; content:"/ipchat.php"; nocase; http_uri;
content:"root_path="; content:"conf_global.php"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,6976;
reference:cve,2003-1385; classtype:web-application-attack; sid:2359;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myphpPagetool pt_config.inc file include";
flow:to_server,established; content:"/doc/admin"; nocase; http_uri;
content:"ptinclude="; nocase; content:"pt_config.inc"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,6744;
classtype:web-application-attack; sid:2360; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP news.php file include"; flow:to_server,established;
content:"/news.php"; fast_pattern; nocase; http_uri; content:"template=";
nocase; metadata:ruleset community, service http; reference:bugtraq,6674;
classtype:web-application-attack; sid:2361; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP YaBB SE packages.php file include"; flow:to_server,established;
content:"/packages.php"; fast_pattern; nocase; http_uri;
content:"packer.php"; nocase; metadata:ruleset community, service http;
reference:bugtraq,6663; classtype:web-application-attack; sid:2362;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cyboards default_header.php access"; flow:to_server,established;
content:"/default_header.php"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,6597;
classtype:web-application-activity; sid:2363; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cyboards options_form.php access"; flow:to_server,established;
content:"/options_form.php"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,6597;
classtype:web-application-activity; sid:2364; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newsPHP Language file include attempt";
flow:to_server,established; content:"/nphpd.php"; fast_pattern; nocase;
http_uri; content:"LangFile"; nocase; metadata:ruleset community, service
http; reference:bugtraq,8488; classtype:web-application-activity;
sid:2365; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV authentication_index.php base directory
manipulation attempt"; flow:to_server,established;
content:"/authentication_index.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,9368; reference:cve,2004-0030;
classtype:web-application-attack; sid:2366; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV functions.php base directory manipulation attempt";
flow:to_server,established; content:"/functions.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,9368; reference:cve,2004-0030;
classtype:web-application-attack; sid:2367; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV config_gedcom.php base directory manipulation
attempt"; flow:to_server,established; content:"/config_gedcom.php";
nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,9368;
reference:cve,2004-0030; classtype:web-application-attack; sid:2368;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ISAPISkeleton.dll access"; flow:to_server,established;
content:"/ISAPISkeleton.dll"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,9516;
reference:cve,2004-2128; classtype:web-application-activity; sid:2369;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BugPort config.conf file access"; flow:to_server,established;
content:"/config.conf"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9542; reference:cve,2004-2353;
classtype:attempted-recon; sid:2370; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Sample_showcode.html access"; flow:to_server,established;
content:"/Sample_showcode.html"; nocase; http_uri; content:"fname";
metadata:ruleset community, service http; reference:bugtraq,9555;
reference:cve,2004-2170; classtype:web-application-activity; sid:2371;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Photopost PHP Pro showphoto.php access";
flow:to_server,established; content:"/showphoto.php"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,9557; reference:cve,2004-0239; reference:cve,2004-0250;
classtype:web-application-activity; sid:2372; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD
overflow attempt"; flow:to_server,established; content:"XMKD"; nocase;
isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,7909;
reference:cve,2000-0133; reference:cve,2001-1021; classtype:attemptedadmin; sid:2373; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST
overflow attempt"; flow:to_server,established; content:"NLST"; nocase;
isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,7909;
reference:cve,1999-1544; reference:cve,2009-3023;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053;
reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin;
sid:2374; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC
DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established;
content:"|85 13|<|9E A2|"; depth:5; metadata:ruleset community;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.d
oomjuice.html; classtype:trojan-activity; sid:2375; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP
first payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1;
offset:16; byte_test:2,>,2043,30; metadata:ruleset community;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:2383; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header; content:"Negotiate";
within:20; nocase; http_header;
content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM";
within:100; http_header; metadata:ruleset community, service http;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12055; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:attempted-dos; sid:2386; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Apple QuickTime streaming server view_broadcast.cgi access";
flow:to_server,established; content:"/view_broadcast.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,8257; reference:cve,2003-0422; classtype:webapplication-activity; sid:2388; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO
overflow attempt"; flow:to_server,established; content:"RNTO"; nocase;
isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,15457;
reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021;
reference:cve,2003-0466; reference:cve,2005-3683; classtype:attemptedadmin; sid:2389; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU
overflow attempt"; flow:to_server,established; content:"STOU"; nocase;
isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,8315; reference:cve,2003-0466;
classtype:attempted-admin; sid:2390; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE
overflow attempt"; flow:to_server,established; content:"APPE"; nocase;
isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,8315;
reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466;
reference:cve,2003-0772; classtype:attempted-admin; sid:2391; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR
overflow attempt"; flow:to_server,established; content:"RETR"; nocase;
isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,15457;
reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466;
reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,20053683; classtype:attempted-admin; sid:2392; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /_admin access"; flow:to_server,established; content:"/_admin/";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9537; reference:cve,2007-1156; reference:nessus,12032;
classtype:web-application-activity; sid:2393; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP
Compaq web-based management agent denial of service attempt";
flow:to_server,established; content:"<!"; depth:75; content:">";
within:50; metadata:ruleset community; reference:bugtraq,8014;
classtype:web-application-attack; sid:2394; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP InteractiveQuery.jsp access"; flow:to_server,established;
content:"/InteractiveQuery.jsp"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,8938;
reference:cve,2003-0624; classtype:web-application-activity; sid:2395;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CCBill whereami.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/whereami.cgi?"; nocase; http_uri;
content:"g="; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,8095;
reference:url,secunia.com/advisories/9191/; classtype:web-applicationattack; sid:2396; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CCBill whereami.cgi access"; flow:to_server,established;
content:"/whereami.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,8095;
reference:url,secunia.com/advisories/9191/; classtype:web-applicationactivity; sid:2397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WAnewsletter newsletter.php file include attempt";
flow:to_server,established; content:"newsletter.php"; nocase; http_uri;
content:"waroot"; fast_pattern:only; content:"start.php"; nocase;
metadata:ruleset community, service http; reference:bugtraq,6965;
classtype:web-application-attack; sid:2398; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WAnewsletter db_type.php access"; flow:to_server,established;
content:"/sql/db_type.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6964; classtype:webapplication-activity; sid:2399; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP edittag.pl access"; flow:to_server,established;
content:"/edittag.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,6675; reference:cve,2003-1351;
classtype:web-application-activity; sid:2400; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session
Setup andx username overflow attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00|"; within:255;
distance:29; metadata:ruleset community; reference:bugtraq,9752;
reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2401; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
Session Setup andx username overflow attempt"; flow:stateless; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00|"; within:255;
distance:29; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,9752; reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2402; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session
Setup unicode username overflow attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMBs"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00 00|"; within:510;
distance:29; metadata:ruleset community; reference:bugtraq,9752;
reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2403; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
Session Setup unicode andx username overflow attempt"; flow:stateless;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00 00|"; within:510;
distance:29; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,9752; reference:cve,2004-0193;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
classtype:protocol-command-decode; sid:2404; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phptest.php access"; flow:to_server,established;
content:"/phptest.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9737; reference:cve,2004-2374;
classtype:web-application-activity; sid:2405; rev:14;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET
APC SmartSlot default admin account attempt"; flow:to_server,established;
content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset
community, service telnet; reference:bugtraq,9681; reference:cve,20040311; reference:nessus,12066; classtype:suspicious-login; sid:2406;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP util.pl access"; flow:to_server,established; content:"/util.pl";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9748; reference:cve,2004-2379; classtype:webapplication-activity; sid:2407; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Power Board search.pl access";
flow:to_server,established; content:"/search.pl"; http_uri;
content:"st="; nocase; metadata:ruleset community, service http;
reference:bugtraq,9766; reference:cve,2004-0338; classtype:webapplication-activity; sid:2408; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP
USER overflow attempt"; flow:to_server,established; content:"APOP";
nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi";
metadata:ruleset community, service pop3; reference:bugtraq,9794;
reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IGeneric Free Shopping Cart page.php access";
flow:to_server,established; content:"/page.php"; fast_pattern:only;
http_uri; metadata:ruleset community, service http;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .ram playlist file download request";
flow:to_server,established; content:".ra"; fast_pattern:only; http_uri;
pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram;
classtype:misc-activity; sid:2419; rev:24;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .rmp playlist file download request";
flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri;
pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp;
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram;
classtype:misc-activity; sid:2420; rev:24;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .rt playlist file download request";
flow:to_server,established; content:".rt"; fast_pattern:only; http_uri;
pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram;
classtype:misc-activity; sid:2422; rev:25;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .rp playlist file download request";
flow:to_server,established; content:".rp"; fast_pattern:only; http_uri;
pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram;
classtype:misc-activity; sid:2423; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
sendsys overflow attempt"; flow:to_server,established; content:"sendsys";
fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset
community; reference:bugtraq,9382; reference:cve,2004-0045;
reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
senduuname overflow attempt"; flow:to_server,established;
content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]
{21}/smi"; metadata:ruleset community; reference:bugtraq,9382;
reference:cve,2004-0045; reference:nessus,11984; classtype:attemptedadmin; sid:2425; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
version overflow attempt"; flow:to_server,established; content:"version";
fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset
community; reference:bugtraq,9382; reference:cve,2004-0045;
reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
checkgroups overflow attempt"; flow:to_server,established;
content:"checkgroups"; fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]
{21}/smi"; metadata:ruleset community; reference:bugtraq,9382;
reference:cve,2004-0045; reference:nessus,11984; classtype:attemptedadmin; sid:2427; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave
overflow attempt"; flow:to_server,established; content:"ihave";
fast_pattern:only; pcre:"/^ihave\x3a[^\n]{21}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt";
flow:to_client,established; content:"application/smi"; fast_pattern;
nocase; http_header; file_data; content:"file|3A|javascript|3A|";
pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi";
metadata:ruleset community, service http; reference:bugtraq,8453;
reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempteduser; sid:2437; rev:20;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist;
file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]
{400}/smi"; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:bugtraq,13264;
reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755;
classtype:attempted-user; sid:2438; rev:22;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist;
file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]
{400}/smi"; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:bugtraq,13264;
reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755;
classtype:attempted-user; sid:2439; rev:22;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist;
file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]
{400}/smi"; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:bugtraq,13264;
reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755;
classtype:attempted-user; sid:2440; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP NetObserve authentication bypass attempt";
flow:to_server,established; content:"login=0"; nocase; content:"login=0";
nocase; http_cookie; metadata:ruleset community, service http;
reference:bugtraq,9319; classtype:web-application-attack; sid:2441;
rev:14;)
# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ
SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm";
flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2;
distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|
00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|";
within:2; distance:5; byte_test:2,>,512,-11,relative,little;
metadata:ruleset community; reference:cve,2004-0362;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ServletManager access"; flow:to_server,established;
content:"/servlet/ServletManager"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:bugtraq,3697;
reference:cve,2001-1195; reference:nessus,12122; classtype:webapplication-activity; sid:2447; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP setinfo.hts access"; flow:to_server,established;
content:"/setinfo.hts"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9973; reference:cve,2004-1857;
reference:nessus,12120; classtype:web-application-activity; sid:2448;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO
overflow attempt"; flow:to_server,established; content:"ALLO"; nocase;
isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,9953;
reference:cve,2004-1883; reference:nessus,14598; classtype:attemptedadmin; sid:2449; rev:12;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM successful logon"; flow:to_client,established; content:"YMSG";
depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:ruleset
community; classtype:policy-violation; sid:2450; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM voicechat"; flow:to_client,established; content:"YMSG"; depth:4;
nocase; content:"|00|J"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2451; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo
IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase;
content:"|00 12|"; depth:2; offset:10; metadata:ruleset community;
classtype:policy-violation; sid:2452; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM conference invitation"; flow:to_client,established; content:"YMSG";
depth:4; nocase; content:"|00 18|"; depth:2; offset:10; metadata:ruleset
community; classtype:policy-violation; sid:2453; rev:9;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM conference logon success"; flow:to_client,established; content:"YMSG";
depth:4; nocase; content:"|00 19|"; depth:2; offset:10; metadata:ruleset
community; classtype:policy-violation; sid:2454; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo
IM conference message"; flow:to_server,established; content:"YMSG";
depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:ruleset
community; classtype:policy-violation; sid:2455; rev:8;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
Messenger File Transfer Receive Request"; flow:established;
content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10;
metadata:ruleset community; classtype:policy-violation; sid:2456; rev:9;)
# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message";
flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset
community; classtype:policy-violation; sid:2457; rev:7;)
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM successful chat join"; flow:to_client,established; content:"YMSG";
depth:4; nocase; content:"|00 98|"; depth:2; offset:10; metadata:ruleset
community; classtype:policy-violation; sid:2458; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo
IM conference offer invitation"; flow:to_server,established;
content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10;
metadata:ruleset community; classtype:policy-violation; sid:2459; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"POLICY-SOCIAL Yahoo
IM conference request"; flow:to_server,established; content:"<R";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHPBB viewforum.php access"; flow:to_server,established;
content:"/viewforum.php"; nocase; http_uri; content:"topic_id=";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:bugtraq,9865; reference:bugtraq,9866; reference:cve,2004-1809;
reference:nessus,12093; classtype:web-application-activity; sid:2566;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Emumail init.emu access"; flow:to_server,established;
content:"/init.emu"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9861; reference:cve,2004-2334;
reference:cve,2004-2385; reference:nessus,12095; classtype:webapplication-activity; sid:2567; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Emumail emumail.fcgi access"; flow:to_server,established;
content:"/emumail.fcgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9861; reference:cve,2004-2334;
reference:cve,2004-2385; reference:nessus,12095; classtype:webapplication-activity; sid:2568; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cPanel resetpass access"; flow:to_server,established;
content:"/resetpass"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,9848; reference:cve,2004-1769;
classtype:web-application-activity; sid:2569; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Invalid HTTP Version String"; flow:to_server,established;
content:"HTTP/"; depth:300; nocase; content:!"|0D 0A|"; within:2;
distance:3; content:!"1.0"; within:3; content:!"1.1"; within:3;
metadata:ruleset community, service http; reference:bugtraq,34240;
reference:bugtraq,9809; reference:cve,2009-0478; reference:nessus,11593;
classtype:non-standard-protocol; sid:2570; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail frmGetAttachment.aspx access";
flow:to_server,established; content:"/frmGetAttachment.aspx"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,9805; reference:cve,2004-2585; classtype:webapplication-activity; sid:2571; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail login.aspx buffer overflow attempt";
flow:to_server,established; content:"/login.aspx"; nocase; http_uri;
content:"txtusername="; isdataat:980,relative; content:!"|0A|";
within:980; nocase; metadata:ruleset community, service http;
reference:bugtraq,9805; reference:cve,2004-2585; classtype:webapplication-attack; sid:2572; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail frmCompose.asp access";
flow:to_server,established; content:"/frmCompose.aspx"; nocase; http_uri;
metadata:ruleset community, service http; reference:bugtraq,9805;
reference:cve,2004-2585; classtype:web-application-activity; sid:2573;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR
format string attempt"; flow:to_server,established; content:"RETR";
fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SAP Crystal Reports crystalimagehandler.aspx access";
flow:to_server,established; content:"/crystalimagehandler.aspx";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,2004-0204;
reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx;
classtype:web-application-activity; sid:2581; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OSWINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal
attempt"; flow:to_server,established; content:"/crystalimagehandler";
fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase;
http_uri; metadata:ruleset community, service http;
reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017;
classtype:web-application-attack; sid:2582; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS
Max-dotdot integer overflow attempt"; flow:to_server,established;
content:"Max-dotdot"; fast_pattern:only; pcre:"/^Maxdotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset community;
reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack;
sid:2583; rev:8;)
# alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER
eMule buffer overflow attempt"; flow:to_client,established;
content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]
+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community;
reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233;
classtype:attempted-user; sid:2584; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nessus 2.x 404 probe"; flow:to_server,established;
content:"/NessusTest"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10386; classtype:attemptedrecon; sid:2585; rev:9;)
# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey
server response"; flow:established,to_client; content:"Server|3A| eMule";
fast_pattern:only; metadata:ruleset community; reference:url,www.emuleproject.net; classtype:policy-violation; sid:2587; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP TUTOS path disclosure attempt"; flow:to_server,established;
content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset
community, service http; reference:bugtraq,10129;
reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html;
classtype:web-application-activity; sid:2588; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS
Microsoft Windows Content-Disposition CLSID command attempt";
flow:to_client,established; content:"Content-Disposition|3A|"; nocase;
http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\
{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH";
metadata:ruleset community, service http; reference:bugtraq,9510;
reference:cve,2004-0420; reference:url,technet.microsoft.com/enus/security/bulletin/ms04-024; classtype:attempted-user; sid:2589;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Samba SWAT Authorization overflow attempt";
flow:to_server,established; content:"Authorization|3A|"; nocase;
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck91.html;
classtype:attempted-user; sid:2605; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html;
classtype:attempted-user; sid:2606; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text";
nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2608; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.cancel_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.cancel_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2609; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE LINK metadata buffer overflow attempt";
flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE";
nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000})|
(\x22[^\x22]{1000}))/Rmsi"; metadata:ruleset community;
reference:bugtraq,12296; reference:bugtraq,7453; reference:cve,2003-0222;
reference:cve,2005-0297; reference:nessus,11563;
reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html;
classtype:attempted-user; sid:2611; rev:11;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|
userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2612; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE time_zone buffer overflow attempt"; flow:to_server,established;
content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]
{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community;
reference:bugtraq,9587; reference:cve,2003-1208; reference:nessus,12047;
reference:url,www.nextgenss.com/advisories/ora_time_zone.txt;
classtype:attempted-user; sid:2614; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|
userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2615; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html;
classtype:attempted-user; sid:2617; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_master_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html;
classtype:attempted-user; sid:2619; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2621; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck94.html;
classtype:attempted-user; sid:2624; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.send_old_values buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.send_old_values";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|
operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck91.html;
classtype:attempted-user; sid:2626; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.repcat_import_check buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.repcat_import_check";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
classtype:attempted-user; sid:2627; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck94.html;
classtype:attempted-user; sid:2629; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2633; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_master_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck634.html;
classtype:attempted-user; sid:2637; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
classtype:attempted-user; sid:2639; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2641; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck96.html;
classtype:attempted-user; sid:2643; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE from_tz buffer overflow attempt"; flow:to_server,established;
content:"FROM_TZ"; nocase; pcre:"/\
(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]
{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; metadata:ruleset community;
reference:url,www.nextgenss.com/advisories/ora_from_tz.txt;
classtype:attempted-user; sid:2644; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2645; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVERORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow
attempt"; flow:to_server,established; content:"connect_data"; nocase;
content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|
29|"; within:1000; metadata:ruleset community; reference:cve,2002-0965;
classtype:attempted-user; sid:2649; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase;
isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset
community; reference:bugtraq,6849; reference:cve,2003-0095;
reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf;
reference:url,www.appsecinc.com/Policy/PolicyCheck62.html;
classtype:attempted-user; sid:2650; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt";
flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL";
distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\
(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi";
metadata:ruleset community; reference:bugtraq,9587; reference:cve,20031208; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt;
reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt;
classtype:attempted-user; sid:2651; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.begin_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2652; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP PHPNuke Forum viewtopic SQL insertion attempt";
flow:to_server,established; content:"/modules.php"; nocase; http_uri;
content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only;
pcre:"/forum=.*'/"; metadata:ruleset community, service http;
reference:bugtraq,7193; classtype:web-application-attack; sid:2654;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-OTHER HP Web
JetAdmin ExecuteFile admin access"; flow:to_server,established;
content:"/plugins/framework/script/content.hts"; fast_pattern:only;
content:"ExecuteFile"; nocase; metadata:ruleset community;
reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2
Client_Hello Challenge Length overflow attempt";
flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello;
content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0;
byte_test:2,>,32,9; metadata:ruleset community, service ssl;
flow:to_server,established; content:"sys.ltutil.pushdeferredtxns";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{512,}\x27|\x22[^\x22]{512,}\x22)
[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|
repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]
{512,}|\x22[^\x22]{512,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2684; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_rq.add_column";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|
SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2685; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){9}(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,20041363; reference:cve,2004-1364; reference:cve,2004-1365;
reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,20041369; reference:cve,2004-1370; reference:cve,2004-1371;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
classtype:attempted-user; sid:2686; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.validate buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_internal_repcat.validate";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user;
sid:2687; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2688; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2689; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|
dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2690; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|
destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2691; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2692; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2693; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2694; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|
qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
classtype:attempted-user; sid:2695; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl.is_master";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|
CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community; classtype:attempted-user; sid:2696; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter file buffer overflow attempt"; flow:to_server,established;
content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?
(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community;
classtype:attempted-user; sid:2697; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE create file buffer overflow attempt"; flow:to_server,established;
content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?
(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community;
classtype:attempted-user; sid:2698; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established;
content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\
(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi";
metadata:ruleset community; reference:bugtraq,10871; reference:cve,20041364; classtype:attempted-user; sid:2699; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus sid overflow attempt"; flow:to_server,established;
content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si";
metadata:ruleset community, service http; reference:bugtraq,10871;
reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,20041364; reference:cve,2004-1365; reference:cve,2004-1366;
reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,20041370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt;
classtype:web-application-attack; sid:2701; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus username overflow attempt";
flow:to_server,established; content:"/isqlplus"; nocase; http_uri;
pcre:"/username=[^&\x3b\r\n]{255}/si"; metadata:ruleset community,
service http; reference:bugtraq,10871; reference:cve,2004-1362;
reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,20041365; reference:cve,2004-1366; reference:cve,2004-1368;
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,20041371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt;
classtype:web-application-attack; sid:2702; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus login.uix username overflow attempt";
flow:to_server,established; content:"/login.uix"; nocase; http_uri;
pcre:"/username=[^&\x3b\r\n]{250}/smi"; metadata:ruleset community,
service http; reference:bugtraq,10871; reference:cve,2004-1362;
flow:to_server,established; content:"dbms_offline_og.end_flavor_change";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si";
metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2711; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.end_instantiation buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_instantiation";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2712; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.end_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_load"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2713; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt";
flow:to_server,established;
content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2714; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_snapshot.begin_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.begin_load";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2715; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_snapshot.end_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.end_load";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck632.html;
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2721; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_object_to_flavor";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2722; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_char";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2723; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_date";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2724; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_nchar";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2725; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_number";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_update_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2732; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_master_propagation buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2733; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2734; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_char";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2735; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_date";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2736; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_nchar";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2737; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_number";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2738; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2739; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_raw buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_raw";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2740; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2741; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2742; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2743; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2744; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2745; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2746; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2752; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_repsites buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repsites";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2753; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2754; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2755; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2756; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_master_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2757; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_master_repobject buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2758; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|
fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2759; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_column_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2760; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_priority_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_priority_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2761; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2762; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2763; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2764; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_column_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2765; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2766; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_delete_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2778; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2779; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_site_priority";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2780; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2781; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2782; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_unique_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2783; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_update_resolution";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2784; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.execute_ddl buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2785; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_replication_package buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2786; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.instantiate_online buffer overflow
attempt"; flow:to_server,established;
content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2787; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.make_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.make_column_group";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2788; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2789; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2790; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2791; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_master_log buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.purge_master_log";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2792; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.purge_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2793; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck90.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2794; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2795; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2796; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2797; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.register_statistics";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2798; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.relocate_masterdef buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.relocate_masterdef";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2799; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2800; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.resume_master_activity buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.resume_master_activity";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2801; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)
[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2802; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|
(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2803; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2804; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.set_columns buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.set_columns"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2805; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.set_local_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.set_local_flavor";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2806; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.specify_new_masters buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.specify_new_masters";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2807; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.suspend_master_activity buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2808; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2809; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2810; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2811; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt";
flow:to_server,established;
content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2812; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2813; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2814; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2815; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2816; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2817; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer
overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2819; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2820; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2821; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2823; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2824; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2825; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/
(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2826; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|
type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2827; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2828; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2829; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2830; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2831; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2833; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.generate_replication_package"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2834; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2835; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2836; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2837; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2838; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2839; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2840; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|
(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2841; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2846; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer
overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2847; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|
type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2848; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object";
nocase; pcre:"/(\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2849; rev:5;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_mview_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_mview_repobject";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|
gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2865; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2866; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2867; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2868; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2869; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2870; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2871; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2872; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2873; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2874; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2875; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2876; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2877; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2878; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2879; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2880; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2881; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2882; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2883; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2884; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2885; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2886; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2887; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2888; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2889; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2896; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2897; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2898; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2899; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2900; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2901; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2902; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|
(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2903; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2909; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2910; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|
sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2911; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2912; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2913; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt";
flow:to_server,established;
content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2914; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2915; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2916; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2917; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2918; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer
overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2919; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP
inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2;
metadata:ruleset community, service dns; reference:bugtraq,2302;
reference:cve,2001-0010; reference:nessus,10605; classtype:attemptedrecon; sid:2921; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP
inverse query"; flow:to_server,established; byte_test:1,<,16,4;
byte_test:1,&,8,4; metadata:ruleset community, service dns;
reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605;
classtype:attempted-recon; sid:2922; rev:10;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated
logon failure"; flow:to_client,established; content:"|FF|SMBs"; depth:5;
offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track
by_dst,count 10,seconds 60; metadata:ruleset community;
classtype:unsuccessful-user; sid:2923; rev:13;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS
repeated logon failure"; flow:to_client,established; content:"|FF|SMBs";
depth:5; offset:4; content:"m|00 00 C0|"; within:4;
detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset
community, service netbios-ssn; classtype:unsuccessful-user; sid:2924;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV base directory manipulation";
flow:to_server,established; content:"_conf.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset
community, service http; reference:bugtraq,9368; reference:cve,2004-0030;
classtype:web-application-attack; sid:2926; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft
Windows XPAT pattern overflow attempt"; flow:to_server,established;
content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?
PAT\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036;
classtype:attempted-admin; sid:2927; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt";
flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|";
depth:256; offset:12; metadata:ruleset community, service netbios-ssn;
reference:bugtraq,11372; reference:cve,2004-0206;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031;
classtype:attempted-admin; sid:2936; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC
NCACN-IP-TCP winreg InitiateSystemShutdown attempt";
flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa900038001003; dce_opnum:24; metadata:ruleset community, service netbiosssn; reference:url,msdn.microsoft.com/library/default.asp?
url=/library/en-us/shutdown/base/initiatesystemshutdown.asp;
classtype:protocol-command-decode; sid:2942; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS SMB
Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs";
within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP";
within:7; distance:27; asn1:double_overflow, bitstring_overflow,
relative_offset 27, oversize_length 2048; metadata:ruleset community;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3000; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS SMB
Session Setup NTLMSSP andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative;
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP";
within:7; distance:27; asn1:double_overflow, bitstring_overflow,
relative_offset 27, oversize_length 2048; metadata:ruleset community;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3001; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS SMB
Session Setup NTLMSSP unicode andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative;
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP";
within:7; distance:27; asn1:double_overflow, bitstring_overflow,
relative_offset 27, oversize_length 2048; metadata:ruleset community;
reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818;
reference:nessus,12052; reference:nessus,12065;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007;
classtype:protocol-command-decode; sid:3002; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS SMB-DS
Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs";
within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP";
within:7; distance:27; asn1:double_overflow, bitstring_overflow,
relative_offset 27, oversize_length 2048; metadata:ruleset community,
service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635;
flowbits:set,backdoor.netbus_2.connect; flowbits:noalert;
metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX
the Tick get windows directory"; flow:to_server,established;
content:"WINDIR"; depth:6; metadata:policy security-ips drop, ruleset
community; classtype:misc-activity; sid:3010; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX
the Tick get system directory"; flow:to_server,established;
content:"SYSDIR"; depth:6; metadata:policy security-ips drop, ruleset
community; classtype:misc-activity; sid:3011; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX
the Tick upload/execute arbitrary file"; flow:to_server,established;
content:"ABCJZDATEIV"; depth:11; metadata:policy security-ips drop,
ruleset community; classtype:misc-activity; sid:3012; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"MALWARE-CNC Asylum
0.1 connection request"; flow:to_server,established; content:"RQS";
depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert;
metadata:ruleset community; classtype:misc-activity; sid:3013; rev:8;)
# alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum
0.1 connection"; flow:to_client,established;
flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3;
metadata:policy security-ips drop, ruleset community; classtype:miscactivity; sid:3014; rev:9;)
# alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane
Network 4.0 connection"; flow:to_client,established; content:"Insane
Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|";
depth:62; metadata:policy security-ips drop, ruleset community;
classtype:misc-activity; sid:3015; rev:9;)
# alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane
Network 4.0 connection port 63536"; flow:to_client,established;
content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A
0D|[r00t]|23|"; depth:62; metadata:policy security-ips drop, ruleset
community; classtype:misc-activity; sid:3016; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft
Windows WINS overflow attempt"; flow:to_server,established;
byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6;
byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|
[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s
"; metadata:ruleset community, service wins; reference:bugtraq,11763;
reference:cve,2004-0567; reference:cve,2004-1080;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045;
reference:url,www.immunitysec.com/downloads/instantanea.pdf;
classtype:misc-attack; sid:3017; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE oversized Security Descriptor attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|
A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.
{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018;
rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE andx oversized Security Descriptor attempt";
15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community,
service netbios-ssn; reference:cve,2004-1154; classtype:protocol-commanddecode; sid:3024; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT
Trans NT CREATE unicode andx oversized Security Descriptor attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community,
service netbios-ssn; reference:cve,2004-1154; classtype:protocol-commanddecode; sid:3025; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2;
distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.
{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12;
byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3026; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE andx SACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R";
content:!"|00 00 00 00|"; within:4; distance:12;
byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3027; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE unicode SACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|";
within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning;
pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12;
byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3028; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE unicode andx SACL overflow attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R";
content:!"|00 00 00 00|"; within:4; distance:12;
byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE andx DACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R";
content:!"|00 00 00 00|"; within:4; distance:16;
byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3035; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE unicode DACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|";
within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning;
pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16;
byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3036; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE unicode andx DACL overflow attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R";
content:!"|00 00 00 00|"; within:4; distance:16;
byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3037; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT
Trans NT CREATE DACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|";
within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning;
pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16;
byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3038; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT
Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R";
content:!"|00 00 00 00|"; within:4; distance:16;
byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154;
classtype:protocol-command-decode; sid:3039; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT
Trans NT CREATE unicode DACL overflow attempt";
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020;
classtype:attempted-user; sid:3149; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS
SQLXML content type overflow"; flow:to_server,established;
pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri;
pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:ruleset
community, service http; reference:bugtraq,5004; reference:cve,2002-0186;
reference:nessus,11304; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-030;
reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt;
classtype:attempted-admin; sid:3150; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER /
execution attempt"; flow:to_server,established; content:"/";
pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612;
reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute
force failed login attempt"; flow:to_client,established; content:"Login
failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src,
count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797;
reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessfuluser; sid:3152; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP
inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4;
byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns;
reference:bugtraq,134; reference:cve,1999-0009; classtype:attemptedadmin; sid:3153; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP
inverse query overflow"; flow:to_server; isdataat:400;
byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community,
service dns; reference:bugtraq,134; reference:cve,1999-0009;
classtype:attempted-admin; sid:3154; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR
BackOrifice 2000 Inbound Traffic"; flow:to_server,established;
content:"1j|D0 D9|"; metadata:policy security-ips drop, ruleset
community; classtype:trojan-activity; sid:3155; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
CoGetInstanceFromFile attempt"; flow:to_server,established;
dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1;
dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C
00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset
community, service netbios-ssn; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039;
classtype:protocol-command-decode; sid:3158; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS
DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt";
dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1;
dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C
00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset
community, service dcerpc; reference:cve,2003-0715;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039;
classtype:protocol-command-decode; sid:3159; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS
DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt";
dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4;
dce_stub_data; byte_test:4,>,128,8,dce; metadata:ruleset community,
service dcerpc; reference:cve,2005-0059;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017;
classtype:attempted-admin; sid:3171; rev:14;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS
Microsoft Windows Media Player directory traversal via ContentDisposition attempt"; flow:to_client,established; content:".wmz";
fast_pattern; nocase; http_header; content:"Content-Disposition|3A|";
nocase; http_header; content:"filename="; nocase; http_header;
pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x2
5\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset
community, service http; reference:bugtraq,7517; reference:cve,2003-0228;
reference:nessus,11595; reference:url,technet.microsoft.com/enus/security/bulletin/MS03-017; classtype:attempted-user; sid:3192;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cmd executable file parsing attack"; flow:to_server,established;
content:".cmd|22|"; nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi";
metadata:ruleset community, service http; reference:bugtraq,1912;
reference:cve,2000-0886; classtype:web-application-attack; sid:3193;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .bat executable file parsing attack"; flow:to_server,established;
content:".bat|22|"; nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi";
metadata:ruleset community, service http; reference:bugtraq,1912;
reference:cve,2000-0886; classtype:web-application-attack; sid:3194;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name
query overflow attempt TCP"; flow:to_server,established;
byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative;
metadata:ruleset community, service netbios-ns; reference:bugtraq,9624;
reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006;
classtype:attempted-admin; sid:3195; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name
query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12;
isdataat:56,relative; metadata:ruleset community, service netbios-ns;
reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006;
classtype:attempted-admin; sid:3196; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft
Windows WINS name query overflow attempt TCP"; flow:established;
byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative;
metadata:ruleset community; reference:bugtraq,9624; reference:cve,20030825; reference:nessus,15912; reference:url,technet.microsoft.com/enus/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199;
rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft
Windows WINS name query overflow attempt UDP"; flow:to_server;
byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative;
metadata:ruleset community; reference:bugtraq,9624; reference:cve,20030825; reference:nessus,15912; reference:url,technet.microsoft.com/en-
content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri";
metadata:ruleset community; reference:bugtraq,12594; reference:cve,20050491; classtype:attempted-recon; sid:3453; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia
client backup generic info probe"; flow:to_server,established;
content:"ARKFS|00|root|00|root"; fast_pattern:only; metadata:ruleset
community; reference:bugtraq,12594; reference:cve,2005-0491;
classtype:attempted-recon; sid:3454; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"SERVER-OTHER
Bontago Game Server Nickname buffer overflow";
flow:to_server,established; content:"|FF 01 00 00 00 00 01|";
isdataat:512,relative; metadata:ruleset community;
reference:bugtraq,12603; reference:cve,2005-0501;
reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt;
classtype:attempted-user; sid:3455; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL 4.0
root login attempt"; flow:to_server,established; content:"|01|"; depth:1;
offset:3; content:"root|00|"; within:5; distance:5; nocase;
metadata:ruleset community, service mysql; classtype:protocol-commanddecode; sid:3456; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia
backup client type 77 overflow attempt"; flow:to_server,established;
content:"|00|M"; depth:2; byte_test:2,>,23,6; metadata:ruleset community;
reference:bugtraq,12594; reference:cve,2005-0491; reference:nessus,17158;
classtype:attempted-user; sid:3457; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia
backup client type 84 overflow attempt"; flow:to_server,established;
content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|
00|"; depth:255; offset:8; metadata:ruleset community;
reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempteduser; sid:3458; rev:7;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito
Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4;
offset:16; metadata:ruleset community;
reference:url,openlito.sourceforge.net; reference:url,www.blubster.com;
classtype:policy-violation; sid:3459; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST
with numeric argument"; flow:to_server,established; content:"REST";
fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community,
service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Content-Type overflow attempt"; flow:to_server,established;
content:"Content-Type"; nocase; content:"|3A|"; distance:0;
pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset
community, service smtp; reference:bugtraq,44732; reference:bugtraq,7419;
reference:cve,2003-0113; reference:url,technet.microsoft.com/enus/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
Microsoft Internet Explorer Content-Encoding overflow attempt";
flow:to_server,established; content:"Content-Encoding"; nocase;
content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]
{300}/mi"; metadata:ruleset community, service smtp;
reference:bugtraq,7419; reference:cve,2003-0113;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015;
classtype:attempted-admin; sid:3462; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP awstats access"; flow:to_server,established;
content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,12572; reference:nessus,16456;
classtype:web-application-activity; sid:3463; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP awstats.pl command execution attempt"; flow:to_server,established;
content:"/awstats.pl?"; fast_pattern; nocase; http_uri;
content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui";
content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?
[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service http;
reference:bugtraq,12572; reference:nessus,16456; classtype:webapplication-attack; sid:3464; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC
Win.Trojan.Hydraq variant outbound connection";
flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF
FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
ssl;
reference:url,www.virustotal.com/analisis/9051f618a5a8253a003167e65ce1311
fa91a8b70d438a384be48b02e73ba855c-1263878624; classtype:trojan-activity;
sid:16368; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sality variant outbound connection";
flow:to_server,established; urilen:15<>30,norm; content:".gif?";
fast_pattern:only; http_uri; content:"User-Agent"; http_header;
content:!"Referer"; http_header; content:!"Accept"; http_header;
pcre:"/\.gif\x3f[a-f0-9]{4,7}\x3d\d{6,8}$/U"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,www.virustotal.com/file-scan/report.html?
id=982e0324c905311b88d59547f55c1dbba9b0568333827a699bb2f32adc6691001250921064; classtype:trojan-activity; sid:19964; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC
Win.Trojan.Derusbi.A variant outbound connection";
flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7;
offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community; reference:url,www.virustotal.com/filescan/report.html?
id=6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b01314630371; reference:url,www.virustotal.com/file-scan/report.html?
id=705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe1314630371; classtype:trojan-activity; sid:20080; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector variant outbound connection";
flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|";
fast_pattern:only; http_header; content:"bb.php?v="; http_uri;
content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri;
content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.virustotal.com/file-scan/report.html?
122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity;
sid:21444; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user-agent string core-project";
flow:to_server, established; content:"User-Agent|3A 20|core-project";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:miscactivity; sid:21475; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch"; flow:to_client,established;
content:"prototype"; content:"}catch("; distance:0;
pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,20080655; reference:cve,2008-2992; reference:cve,2009-0927;
reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,20112110; reference:cve,2011-3544; reference:cve,2012-0188;
reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,20121889; reference:cve,2012-4681;
reference:url,community.websense.com/blogs/securitylabs/pages/black-holeexploit-kit.aspx; classtype:attempted-user; sid:21492; rev:20;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bredolab variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"UserAgent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4;
http_client_body; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b
7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity;
sid:21562; rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch"; flow:to_client,established; file_data;
content:"prototype"; content:"}catch("; distance:0;
pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,20080655; reference:cve,2008-2992; reference:cve,2009-0927;
reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,20112110; reference:cve,2011-3544; reference:cve,2012-0188;
reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,20121889; reference:cve,2012-4681;
reference:url,community.websense.com/blogs/securitylabs/pages/black-holeexploit-kit.aspx; classtype:attempted-user; sid:21646; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%";
flow:to_server,established; content:"%ALLUSERSPROFILE%";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
classtype:attempted-recon; sid:21818; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PROGRAMDATA%";
flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PATH%";
flow:to_server,established; content:"%PATH%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attemptedrecon; sid:21841; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PATHEXT%";
flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attemptedrecon; sid:21842; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PROMPT%";
flow:to_server,established; content:"%PROMPT%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attemptedrecon; sid:21843; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %USERDOMAIN%";
flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attemptedrecon; sid:21844; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
TDS Sutra - redirect received"; flow:to_client,established;
content:"_0000="; fast_pattern; content:"SL_"; http_cookie;
content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy
security-ips drop, ruleset community, service http;
reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html;
classtype:trojan-activity; sid:21845; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
TDS Sutra - request in.cgi"; flow:to_server,established;
content:"/in.cgi?"; http_uri; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html;
classtype:trojan-activity; sid:21846; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWAREOTHER TDS Sutra - page redirecting to a SutraTDS";
flow:to_client,established; file_data; content:"/in.cgi?";
isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&";
within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|
default)\b/smi"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html;
classtype:trojan-activity; sid:21848; rev:13;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWAREOTHER TDS Sutra - HTTP header redirecting to a SutraTDS";
flow:to_client,established; content:"/in.cgi"; http_header;
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain world.rickstudio.ru - Mal/Rimecud-R"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|world|0A|rickstudio|02|ru|00|";
fast_pattern:only; metadata:impact_flag red, ruleset community, service
dns; reference:url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Mal~Rimecud-R/detailed-analysis.aspx;
classtype:trojan-activity; sid:22959; rev:3;)
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain portal.roomshowerbord.com - Mal/EncPk-ADU";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|portal|0E|
roomshowerbord|03|com|00|"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service dns;
reference:url,www.threatexpert.com/report.aspx?
md5=d3d6f87d8f8e3dd5c2793d5a1d3ca7ca; classtype:trojan-activity;
sid:22960; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE script before DOCTYPE possible malicious redirect attempt";
flow:to_client,established; file_data; content:"</script><!DOCTYPE";
fast_pattern:only; metadata:ruleset community, service http;
classtype:web-application-attack; sid:23179; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call";
flow:established,to_client; file_data; content:"setTimeout|28|"; nocase;
content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase;
pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]
{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; classtype:bad-unknown;
sid:23481; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener
call"; flow:established,to_client; file_data; content:"addEventListener|
28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x";
within:10; nocase; pcre:"/addEventListener\x28[\x22\x27]
[^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:bad-unknown; sid:23482; rev:4;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:20;
content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6
463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity;
sid:23492; rev:4;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION known packer routine with secondary
obfuscation"; flow:to_client,established; file_data;
content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; content:"|7C|
fromCharCode|7C|"; nocase; content:"|7C|charCodeAt|7C|"; distance:0;
nocase; content:"|7C|eval|7C|"; distance:0; nocase; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:url,dean.edwards.name/packer/; classtype:misc-activity;
sid:23621; rev:6;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears
DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity;
sid:26203; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Eldorado variant outbound connection";
flow:to_server,established; urilen:12; content:"/pid/pid.txt";
fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D
0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f
5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojanactivity; sid:26211; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Proxyier variant outbound connection";
flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|
0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|";
fast_pattern:only; http_header; content:!"|0A|Referer"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:26212; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Fake postal receipt HTTP Response phishing attack";
flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|
0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.urlquery.net/search.php?
q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50;
classtype:trojan-activity; sid:26261; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Dapato banking Trojan variant outbound connection";
flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf";
fast_pattern:only; http_uri; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4a
d295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojanactivity; sid:26264; rev:5;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64
445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity;
sid:26265; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - search.dnssearch.org";
flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D
0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header;
metadata:policy security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286;
rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - search.namequery.com";
reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html;
classtype:trojan-activity; sid:26467; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERORACLE Oracle WebCenter FatWire Satellite Server header injection on
blobheadername2 attempt"; flow:to_server,established;
content:"blobheadername2=Location"; fast_pattern:only; http_uri;
content:"blobheadervalue2="; nocase; http_uri; metadata:ruleset
community, service http; reference:cve,2013-1509;
reference:url,www.oracle.com/technetwork/topics/security/cpuapr20131899555.html; classtype:web-application-attack; sid:26468; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERORACLE Oracle WebCenter FatWire Satellite Server header injection on
blobheadername2 attempt"; flow:to_server,established;
content:"blobheadername2=Refresh"; fast_pattern:only; http_uri;
content:"blobheadervalue2="; nocase; http_uri; metadata:ruleset
community, service http; reference:cve,2013-1509;
reference:url,www.oracle.com/technetwork/topics/security/cpuapr20131899555.html; classtype:web-application-attack; sid:26469; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware
download"; flow:to_client,established; content:"-2013.zip|0D 0A|";
fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-";
within:1; distance:-14; http_header; file_data; content:"-2013.exe";
content:"-"; within:1; distance:-14; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d07
08cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity;
sid:26470; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zbot fake PNG config file download without User-Agent";
flow:to_server,established; content:"Accept:
application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|
q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header;
pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity;
sid:26480; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established;
content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/
[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http; reference:url,support.cleanmx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111;
classtype:trojan-activity; sid:26482; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP JavaScript tag in User-Agent field possible XSS attempt";
flow:to_server,established; content:"User-Agent|3A| <SCRIPT>";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-fieldxss-attacks.html; classtype:web-application-attack; sid:26483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLACKLIST User-Agent
known malicious user agent NOKIAN95/WEB"; flow:to_server,established;
content:"User-Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only;
reference:url,camas.comodo.com/cgi-bin/submit?
file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44;
reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3d
f424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojanactivity; sid:26583; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE config.inc.php in iframe"; flow:to_client,established;
file_data; content:"<iframe"; content:"config.inc.php"; within:100;
content:"</iframe>"; distance:0; metadata:ruleset community, service
http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-toblackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojanactivity; sid:26585; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain theimageparlour.net - Vobfus worm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|";
fast_pattern:only; content:"|03|ns"; content:"|0F|"; within:2;
content:"theimageparlour|03|net|00|"; within:20; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service dns;
reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce
5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity;
sid:26589; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain ppcfeedadvertising.com"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|12|ppcfeedadvertising|03|com|00|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service dns;
classtype:trojan-activity; sid:26612; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Medfos Trojan variant outbound connection"; flow:to_server,established;
content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE
"; http_header; content:!"|0D 0A|Accept-Language:"; http_header;
content:!"|0D 0A|Referer:"; http_header;
pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc
3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity;
sid:26613; rev:2;)
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain ppcfeedclick.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0C|ppcfeedclick|03|com|00|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service dns;
classtype:trojan-activity; sid:26614; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain www2.x3x4.su - backdoor trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf33
76d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity;
sid:26654; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.PCRat data upload"; flow:to_server,established;
content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy
pcre:"/^exec\x7c\d+\x7c\d/"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-bewritten-in-delphi; classtype:trojan-activity; sid:26741; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established;
file_data; content:"resolve|7C|"; depth:8;
pcre:"/^resolve\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26742; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established;
file_data; content:"antiddos|7C|"; depth:9;
pcre:"/^antiddos\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26743; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc range command"; flow:to_client,established;
file_data; content:"range|7C|"; depth:6; pcre:"/^range\x7c\d+\x7c\d/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-bewritten-in-delphi; classtype:trojan-activity; sid:26744; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established;
file_data; content:"ftp|7C|"; depth:4; pcre:"/^ftp\x7c\d+\x7c\d/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-bewritten-in-delphi; classtype:trojan-activity; sid:26745; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc download command"; flow:to_client,established;
file_data; content:"download|7C|"; depth:9;
pcre:"/^download\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26746; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established;
file_data; content:"fastddos|7C|"; depth:9;
pcre:"/^fastddos\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26747; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established;
file_data; content:"slowhttp|7C|"; depth:9;
pcre:"/^slowhttp\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26748; rev:3;)
reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c9283462
2b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity;
sid:26916; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain bigmack.opendns.be - Palevo Botnet";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|
02|be|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3;
classtype:trojan-activity; sid:26917; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain trafficconverter.biz - ChronoPay";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|
biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,krebsonsecurity.com/2011/03/chronopays-scarewarediaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain kjwre9fqwieluoi.info - W32.Sality";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|
info|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.threatexpert.com/report.aspx?
md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity;
sid:26919; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain kukutrustnet777.info - W32.Sality";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|
info|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.threatexpert.com/report.aspx?
md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity;
sid:26920; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri;
pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui";
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:26923; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established;
urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?";
http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[az]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:26924; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic
convert injection attempt - GET parameter"; flow:to_server,established;
content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy
security-ips drop, ruleset community, service http;
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
classtype:web-application-attack; sid:26925; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=atom.jar";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,20132423; reference:url,www.basemont.com/new_exploit_kit_june_2013;
classtype:trojan-activity; sid:26947; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=site.jar";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,20131493; reference:url,www.basemont.com/new_exploit_kit_june_2013;
classtype:trojan-activity; sid:26948; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit landing page";
flow:to_client,established; file_data; content:"<applet width=";
content:"0"; within:1; distance:1; content:" height="; within:8;
distance:1; content:"0"; within:1; distance:1; content:" code=";
within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase;
content:" archive="; within:9; distance:1; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.basemont.com/new_exploit_kit_june_2013;
classtype:trojan-activity; sid:26949; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt";
flow:to_server,established; content:"/?f=s"; http_uri; content:"&k=";
distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U";
flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:cve,2013-1493; reference:cve,2013-2423;
reference:url,www.basemont.com/new_exploit_kit_june_2013;
reference:url,www.malwaresigs.com/2013/06/14/dotcachef/;
classtype:trojan-activity; sid:26950; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI
request"; flow:to_server,established; content:"/.cache/?f=";
fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[af0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,research.zscaler.com/2013/06/openxadvertisingcom-massmalvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established;
content:"/forum/search.php?email="; http_uri; content:"&method=";
distance:0; http_uri; content:!"Referer"; http_header;
content:!"Accept-"; http_header; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-nowsecured; classtype:trojan-activity; sid:26965; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win32/Autorun.JN variant outbound connection";
flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm";
fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry
.aspx?Name=Worm%3AWin32%2FAutorun.JN;
reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb96
13e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity;
sid:26966; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established;
content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D
0A|URL: "; fast_pattern:only; http_client_body; content:"ContentDisposition: form-data|3B| name="; http_client_body; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0
408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity;
sid:26968; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established;
content:"POST"; http_method; content:".php?version="; http_uri;
content:"&user="; distance:0; http_uri; content:"&server="; distance:0;
http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0
408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity;
sid:26969; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Pirminay variant outbound connection";
flow:to_server,established; content:"Cookie: cache=cc2=";
fast_pattern:only; content:"cache=cc2="; http_cookie;
pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d50467
9129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity;
sid:26970; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain fasternation.net - Win.Trojan.Pirminay"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0C|fasternation|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d50467
9129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity;
sid:26971; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Injector Info Stealer Trojan variant outbound connection";
flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri;
content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE ";
http_header; content:!"Accept-Language:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE
19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity;
sid:26984; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Rawin exploit kit outbound java retrieval"; flow:to_server,established;
content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,secure2.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx;
reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301
541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojanactivity; sid:27537; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER selfsigned SSL certificate with default MyCompany Ltd organization name";
flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|";
content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag
red, ruleset community, service ssl;
reference:url,en.wikipedia.org/wiki/Self-signed_certificate;
reference:url,security.ncsa.illinois.edu/research/gridhowtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
HideMeBetter spam injection variant"; flow:to_client,established;
file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only;
content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|
null)"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injectionvariant.html; classtype:trojan-activity; sid:27565; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Rovnix malicious download request";
flow:to_server,established; content:"/ld.aspx"; nocase; http_uri;
content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap;
reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolutionof-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity;
sid:27567; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Redyms variant outbound connection";
flow:to_server,established; content:"&intip="; fast_pattern:only;
http_uri; content:"?id="; http_uri; content:"&port="; distance:0;
http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d009
3f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojanactivity; sid:27596; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Fort Disco Registration variant outbound connection";
flow:to_server,established; content:"/cmd.php"; http_uri; content:"UserAgent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only;
http_header; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.netsecurity.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599;
rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27625; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain ftp.documents.myPicture.info"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|
info|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27626; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain info.xxuz.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|04|info|04|xxuz|03|com|00|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service dns;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27627; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain www.documents.myPicture.info"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|www|09|documents|09|myPicture|04|
info|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27628; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Backdoor.Aumlib variant outbound connection";
flow:to_server,established; content:"/tomcat-docs/index.jsp?/"; http_uri;
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.01|3B|
Windows NT 5.0|29|"; fast_pattern:only; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27629; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Backdoor.Aumlib variant outbound connection";
flow:to_server,established; content:"/bbs/search.asp"; content:"UserAgent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|
29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27630; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
Win.Backdoor.Aumlib variant outbound connection";
flow:to_server,established; content:"/buy-sell/search.asp?newsid=";
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B|
Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy
and-its-new-encryption-scheme.html;
reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2b
e03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity;
sid:28538; rev:4;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain lovesyr.sytes.net - Win.Worm Dunhihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|lovesyr|05|sytes|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89
c86662bad9201913c5317f6e3e7841d9/analysis/; classtype:trojan-activity;
sid:28539; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain dkxszh.org"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|06|dkxszh|03|org|00|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service dns;
reference:url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b13594
7823c91a712bb1c3e289168c973a6ce0/analysis/; classtype:trojan-activity;
sid:28540; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established;
urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding:
identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: ";
fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: ";
pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/analisis//file/eeaeb1506d805271b5147c
e911df9c264d63e4d229de4464ef879a83fb225a40/analysis/; classtype:trojanactivity; sid:28541; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
Win.Trojan.Conficker variant outbound connection";
flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|
0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT
5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control:
no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,www.sans.org/securityresources/malwarefaq/conficker-worm.php; classtype:trojan-activity;
sid:28542; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
Win.Trojan.Conficker variant outbound connection";
flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|
0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT
5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: nocache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.sans.org/security-resources/malwarefaq/confickerworm.php; classtype:trojan-activity; sid:28543; rev:1;)
# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN
inbound probing for IPTUX messenger port "; flow:to_server;
content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7;
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain 722forbidden1.sytes.net - Win.Trojan.MSIL variant outbound
connection "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|
722forbidden1|05|sytes|03|net"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service dns; reference:url,fileanalyzer.net/analysis/1076/5370/0/html;
reference:url,www.virustotal.com/en/file/e2aa97c947cdf38e76749e863f73e31c
94da76d84ba8b3a8a4342c253b2b934b/analysis/; classtype:trojan-activity;
sid:29217; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Strictor variant outbound connection";
flow:to_server,established; urilen:19,norm;
content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri;
content:!"Accept-Language:"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57
726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojanactivity; sid:29220; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection";
flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?=";
fast_pattern:only; http_uri; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea
62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity;
sid:29259; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection";
flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?=";
fast_pattern:only; http_uri; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea
62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity;
sid:29260; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Dropper variant outbound connection";
flow:to_server,established; urilen:19,norm;
content:"/FileToDownload.exe"; fast_pattern:only; http_uri;
content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept";
http_header; content:!"User-Agent"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http; reference:url,fileanalyzer.net/analysis/1087/5386/0/html;
reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e010
7f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity;
sid:29261; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain bog5151.zapto.org - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|bog5151|05|zapto|03|org|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/fc274838271cc9e28d8c3c9c925f38c0
7da14c13f3df56f41450f514904ae876/analysis/; classtype:trojan-activity;
sid:29262; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain kara.no-ip.info - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|kara|05|no-ip|04|info|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/e3cbce74e7fa73b931283b0187f237d0
acb4ea3e1f5ce2be4af83493a6bef460/analysis/; classtype:trojan-activity;
sid:29263; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Graftor variant inbound connection";
flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D
0A|"; fast_pattern:only; http_header; file_data;
content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a
3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity;
sid:29300; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern;
http_client_body; content:"&tmp="; distance:0; http_client_body;
content:"&stat="; distance:0; http_client_body; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a9
9732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojanactivity; sid:29349; rev:1;)
# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dropper inbound encrypted traffic";
flow:to_client,established; dsize:10<>20; content:"|05 29 00 00 00 05 29
00 00 00|"; fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402cca
f7095fb5b7aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e2
95da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity;
sid:29378; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration";
flow:to_server,established; dsize:>1440; content:"|03 2B 82 86 02 A0
05|"; fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402cca
f7095fb5b7aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e2
95da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity;
sid:29379; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound encrypted traffic";
flow:to_server,established; dsize:5; content:"|05 29 00 00 00|";
fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402cca
f7095fb5b7aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e2
95da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity;
sid:29380; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection:
Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B|
MSIE "; http_header; content:"google."; http_header; content:!"Accept-";
http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag
red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374
c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity;
sid:29395; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM
Potential phishing attack - .zip receipt filename download with .exe name
within .zip the same"; flow:to_client,established; content:"Receipt";
fast_pattern:only; http_header; content:".zip"; http_header;
pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi";
file_data; content:"PK"; depth:2; content:".exe"; within:50;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:29396; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM
Potential phishing attack - .zip shipping filename download with .exe
name within .zip the same"; flow:to_client,established;
content:"Shipping"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]
{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe";
within:50; metadata:ruleset community, service http; classtype:trojanactivity; sid:29397; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM
Potential phishing attack - .zip voicemail filename download with .exe
name within .zip the same"; flow:to_client,established;
content:"voicemail"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]
{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe";
within:50; metadata:ruleset community, service http; classtype:trojanactivity; sid:29398; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM
Potential phishing attack - .zip statement filename download with .exe
name within .zip the same"; flow:to_client,established;
content:"statement"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]
{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe";
within:50; metadata:ruleset community, service http; classtype:trojanactivity; sid:29399; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP
Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32;
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset
community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-atthe-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/afirst-look-at-the-target-intrusion-malware/; classtype:successful-reconlimited; sid:29454; rev:1;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP
Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32;
content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain carrus.gotdns.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29762; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain cherry1962.dyndns.org - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|
03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29763; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain ctronlinenews.dyndns.tv - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ctronlinenews|06|
dyndns|02|tv|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29764; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain dfup.selfip.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|org|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29765; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain fast8.homeftp.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29766; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain gx5639.dyndns.tv - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29767; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain helpcenter1it6238.cz.cc - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|helpcenter1it6238|02|
cz|02|cc|00|"; fast_pattern:only; metadata:impact_flag red, policy
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain oco-231-ms.xns01.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|oco-231-ms|05|xns01|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29775; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain pininfarina.dynalias.com - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pininfarina|08|
dynalias|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29776; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain pl400.dyndns.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29777; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain prosoccer1.dyndns.info - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer1|06|dyndns|
04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29778; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain redirserver.net - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29779; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain ricush.ath.cx - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29780; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain services.serveftp.org - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|
03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29853; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain rouge166821.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rouge166821|05|no-ip|
03|biz"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29854; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain school-pc.sytes.net - Win.Trojan.Dunihi";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|school-pc|05|sytes|
03|net"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29855; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain vanonymous.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vanonymous|05|no-ip|
03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29856; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain vichtorio-israeli.zapto.org Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|
vichtorio-israeli|05|zapto|03|org"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service dns;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29857; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain zkzak.np-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zkzak|05|np-ip|03|
biz"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
classtype:trojan-activity; sid:29858; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Pirminay variant outbout connection";
flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D
0A|"; fast_pattern:only; http_header; file_data;
content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a289327
61fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojanactivity; sid:29862; rev:1;)
content:"Content-Length: 16"; http_header; file_data; content:"STATUSIMPORT-OK"; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:url,fileanalyzer.net/analysis/1830/6840/0/html;
reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22
ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity;
sid:29870; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|jwqakoy3wdktb0|03|
com|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
classtype:trojan-activity; sid:29875; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.WEC variant outbound connection"; flow:to_server,established;
dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent:
Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3
c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity;
sid:29882; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/gate.php"; fast_pattern:only;
http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"AcceptLanguage:"; http_header; content:!"Referer:"; http_header;
content:!"Accept-Encoding:"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; classtype:trojan-activity; sid:29884; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent
known malicious user-agent string Updates downloader Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
Updates downloader|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96
E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity;
sid:29887; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Pushdo variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|
Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octetstream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"UserAgent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B|
SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header;
content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D
0A|"; distance:0; http_header; metadata:policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:29891; rev:6;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain pibadfixwug.kz - Win.Trojan.Pushdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|pibadfixwug|02|kz|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity;
sid:30068; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain smsgrabber.url.ph - Android iBanking/Spy.49";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|smsgrabber|03|url|02|
ph|00|"; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service dns;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148
e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity;
sid:30069; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt";
flow:to_server,established; urilen:21; content:"/android/sms/sync.php";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|
2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei=";
distance:0; http_client_body; content:"&iscallhack="; distance:0;
http_client_body; content:"&issmshack="; distance:0; http_client_body;
content:"&isrecordhack="; distance:0; http_client_body;
content:"&isadmin="; distance:0; http_client_body;
content:"&control_number="; distance:0; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148
e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity;
sid:30070; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt";
flow:to_server,established; urilen:21; content:"POST"; http_method;
content:"/android/sms/ping.php"; fast_pattern:only; http_uri;
content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148
e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity;
sid:30071; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
ANDR.Trojan.iBanking outbound connection attempt";
flow:to_server,established; urilen:22; content:"/android/sms/index.php";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|
2F|"; http_header; content:"bot_id="; http_client_body;
content:"&number=&iccid=&model="; distance:0; http_client_body;
content:"&imei="; distance:0; http_client_body; content:"&os=";
distance:0; http_client_body; content:"&control_number="; distance:0;
http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148
e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity;
sid:30072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Gamut configuration download"; flow:to_server,established;
metadata:impact_flag red, policy balanced-ips drop, policy connectivityips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6
463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity;
sid:31136; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/notify.php HTTP/1.0|0D 0A|"; fast_pattern:only; content:"UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header;
content:"Content-Length: 0|0D 0A|"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837ec
a03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity;
sid:31221; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Banker variant outbound connection";
flow:to_server,established; urilen:17; content:"/second/game1.inf";
fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header;
content:!"Accept-Language:"; http_header; content:!"Referer:";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837ec
a03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity;
sid:31222; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Necurs variant outbound connection";
flow:to_server,established; urilen:15; content:"/news/index.php HTTP/1.1|
0D 0A|Content-Type: application/octet-stream|0D 0A|Host: ";
fast_pattern:only; content:!"User-Agent:"; http_header;
content:!"Referer:"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b
9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojanactivity; sid:31243; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443]
(msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection";
flow:to_server,established; urilen:43; content:"POST /"; depth:6;
content:" HTTP/1.1"; within:9; distance:42; content:"Firefox/";
distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]
{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9
d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity;
sid:31244; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Andromeda HTTP proxy response attempt";
flow:to_client,established; file_data; content:"function
FindProxyForURL(url, host)"; depth:35; content:"yx0=0|3B|yx1=1|3B|yx2=2|
3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22
22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c
5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity;
sid:31450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D
20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c17948
5146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity;
sid:31452; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ChoHeap variant outbound connection";
flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent:
Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only;
http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b512077
09a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity;
sid:31453; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.ChoHeap variant outbound connection";
flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*,
application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: ";
fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|";
http_header; metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b512077
09a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity;
sid:31454; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Rig Exploit Kit Outbound DGA Request"; flow:established,to_server;
urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri;
pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-usedrecent-website-compromise; classtype:trojan-activity; sid:31455; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain infolooks.org - Win.Trojan.SDBot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|infolooks|03|org|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572
b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity;
sid:31456; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain joydagaspy.biz - Win.Trojan.SDBot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|joydagaspy|03|biz|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572
b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity;
sid:31457; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SDBot variant outbound connection";
flow:to_server,established; urilen:8; content:"/install"; http_uri;
content:"argc="; depth:5; http_client_body; content:"&name="; distance:0;
http_client_body; content:"&previous="; fast_pattern:only;
http_client_body; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572
b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity;
sid:31458; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain cd5c5c.com - Win.Trojan.Androm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|cd5c5c|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31463; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain disk57.com - Win.Trojan.Androm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|disk57|03|com|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31464; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established;
content:"/query?version="; fast_pattern:only; http_uri; content:"&sid=";
http_uri; content:"&builddate="; distance:0; http_uri; content:"&q=";
distance:0; http_uri; content:"&ref="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31465; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established;
content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D
0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31466; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection";
flow:to_server,established; urilen:9; content:"/gate.php";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31467; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Papras variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain hslh.sytes.net - Win.Worm.Jenxcus"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|hslh|05|sytes|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/5382192453e48d46e20096b14458b173
68d401ccbf365020e6094cd5ed20ac51/analysis/; classtype:trojan-activity;
sid:31639; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|prepara|08|biricell|
03|com|02|br|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/a9c38b5b26532623d692ef0291ad412c
e2c2fd8e46e4f6ed85d1e0d010617d0a/analysis/; classtype:trojan-activity;
sid:31640; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Tinybanker variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT
6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-formurlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D
0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: nocache|0D 0A 0D 0A|"; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targetsbanking-customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a210
98aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity;
sid:31641; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Tinybanker variant outbound connection"; flow:to_server,established;
urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B|
Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|
Host: "; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|CacheControl: no-cache|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojantargets-banking-customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a210
98aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity;
sid:31642; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established;
content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A
20|Apache-HttpClient|2F|UNAVAILABLE"; http_header; content:"method=";
http_client_body; content:"&app_key="; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy connectivityips drop, policy security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html
;
reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c
76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity;
sid:31644; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Bancos variant outbound connection";
flow:to_server,established; urilen:16; content:"/boydn/boye.html";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0
(compatible|3B| Indy Library)"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95
fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojanactivity; sid:31649; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Tirabot variant outbound connection";
flow:to_server,established; content:"&string="; fast_pattern:only;
http_client_body; content:"key="; depth:4; http_client_body;
content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|";
http_header; content:".php"; http_uri;
pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]
{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e029
94253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojanactivity; sid:31680; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur download attempt"; flow:to_server,established;
urilen:12; content:"/support.exe"; fast_pattern:only; http_uri;
content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding:
gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0;
http_header; content:!"Accept-Language:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b4633
27fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity;
sid:31681; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9;
content:"/tmps.exe"; fast_pattern:only; http_uri; content:"ProxyAuthorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9;
http_cookie; content:") Chrome/"; http_header; content:!"Accept-";
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd
79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity;
sid:31682; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Badur variant outbound connection";
flow:to_server,established; content:"/get/?data="; depth:11; http_uri;
content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd
79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity;
sid:31683; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE
Microsoft Multiple Products JPEG parser heap overflow attempt";
flow:to_server,established; flowbits:isset,file.jpeg; file_data;
content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.
{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset
community, service smtp; reference:bugtraq,11173; reference:cve,20040200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
classtype:attempted-user; sid:31719; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Banker.Delf variant outbound connection"; flow:to_server,established;
urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri;
content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D
0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|";
http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|
MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd
0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity;
sid:31820; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Graftor variant outbound connection";
flow:to_server,established; content:"dados="; depth:6; http_client_body;
content:"&ct="; distance:0; http_client_body; content:"/"; within:1;
distance:2; http_client_body; content:"/201"; within:4; distance:2;
http_client_body; content:"="; within:1; distance:1; http_client_body;
content:"&windows="; fast_pattern:only; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1d
a7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity;
sid:31824; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain flordeliskm26.com.br - Win.Trojan.Delf"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0D|flordeliskm26|03|com|02|br|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337
482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojanactivity; sid:31825; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Delf variant HTTP Response"; flow:to_client,established;
content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|
token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4;
distance:168;
pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]
{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337
482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojanactivity; sid:31826; rev:1;)
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31970; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Astrum exploit kit multiple exploit download request";
flow:to_server,established; urilen:>60,norm; content:"GET"; content:".
HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e+$/mU";
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.f
lash&file.exploit_kit.silverlight; flowbits:noalert; metadata:ruleset
community, service http;
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31971; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Astrum exploit kit payload delivery"; flow:to_client,established;
flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0
DB D2 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
classtype:trojan-activity; sid:31972; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Chebri variant outbound connection";
flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D
0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0=";
depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|";
http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494d
aa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojanactivity; sid:31973; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,20146278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975;
rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; http_client_body; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:cve,2014-6271; reference:cve,2014-6277;
reference:cve,2014-6278; reference:cve,2014-7169; classtype:attemptedadmin; sid:31976; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,20146278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977;
rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-
nocase; isdataat:500,relative;
pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]
{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|
aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community,
service smtp; reference:bugtraq,10889; reference:cve,2004-0636;
reference:url,osvdb.org/show/osvdb/8398; classtype:misc-attack;
sid:32370; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Androm variant outbound connection";
flow:to_server,established; urilen:13; content:"POST"; http_method;
content:"/and/gate.php"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:32374; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain tiptronic.soxx.us - Scarsi Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|tiptronic|04|soxx|02|us|00|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/403bca7e414291c4aecf8646ef6157e4
41d51915149fbcd2f70aabe05585c8ff/analysis/; classtype:trojan-activity;
sid:32385; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; urilen:16; content:"/cbrry/cbre.html";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)"; http_header; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01
259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojanactivity; sid:32583; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; content:"plug=NAO"; fast_pattern:only;
http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"ContentLength: 8"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5
OWY/;
reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25
aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity;
sid:32584; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Geodo variant outbound connection";
flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0
(compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only;
http_header; content:!"Accept-Language:"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd5
4b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity;
sid:32604; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Worm.Jenxcus variant outbound connection";
flow:to_server,established; content:"/seo.php?
username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e
59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity;
sid:32605; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sodebral variant outbound connection";
flow:to_server,established; content:"/verifica/index.php?id=";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa
6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity;
sid:32606; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
file_data; dsize:<194; content:"INTERNACIONAL"; depth:13;
content:!"Content-Length"; http_header; content:"Transfer-Encoding:
chunked"; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa
6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity;
sid:32607; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"ContentLength"; http_header; content:"Transfer-Encoding: chunked"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa
6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity;
sid:32608; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent
known malicious user-agent string RUpdate"; flow:to_server,established;
content:"User-Agent: RUpdate|0D 0A|"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2
cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity;
sid:32645; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - _pdf.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data;
content:"_pdf.exe"; fast_pattern:only; metadata:policy security-ips drop,
ruleset community, service http;
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2
cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity;
sid:32646; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain baltichost.org - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32652; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain kavkazcentr.info - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32653; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain login-osce.org - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32654; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain mail.q0v.pl - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32655; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain n0vinite.com - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32656; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain nato.nshq.in - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32657; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain natoexhibitionff14.com - Group 74";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|
03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity;
sid:32776; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/images/view.php"; fast_pattern:only; http_uri; content:"UserAgent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175;
http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A
20|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel outbount connection attempt";
flow:to_server,established; content:"/txt/read.php"; fast_pattern:only;
http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center
PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header;
content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32824; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri;
content:"&a2=step2-down"; fast_pattern:only; http_uri; content:"&a3=";
http_uri; content:"&a4="; http_uri; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32825; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established;
content:"POST"; http_method; content:"/html/docu.php"; http_uri;
content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0";
within:175; http_header; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32826; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Darkhotel response connection attempt";
flow:to_client,established; file_data; content:"DEXT87";
pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32827; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - 209.53.113.223";
flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header;
metadata:policy security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - absolute.com";
flow:to_server,established; content:".absolute.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header;
pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy security-ips drop,
ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - bh.namequery.com";
flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header;
metadata:policy security-ips drop, ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A|
namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header;
content:"TagId: "; http_header; metadata:policy security-ips drop,
ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection search.us.namequery.com"; flow:to_server,established; content:"Host|3A|
search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header;
content:"TagId: "; http_header; metadata:policy security-ips drop,
ruleset community, service http;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849;
rev:1;)
community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32917; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"Sleepy!
@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service ftp-data, service http, service imap, service
pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojanactivity; sid:32918; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A
FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, ruleset
community, service ftp-data, service http, service imap, service pop3;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojanactivity; sid:32919; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"|AA 64 BA F2 56|";
depth:50; metadata:impact_flag red, ruleset community, service ftp-data,
service http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920;
rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|";
depth:74; metadata:impact_flag red, ruleset community, service ftp-data,
service http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921;
rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt";
flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F
50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22;
metadata:impact_flag red, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922;
rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt";
flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4
A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red,
ruleset community, service ftp-data, service http, service imap, service
pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojanactivity; sid:32923; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt";
flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13
17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag
red, ruleset community, service ftp-data, service http, service imap,
service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
classtype:trojan-activity; sid:32924; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt";
reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15
628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojanactivity; sid:33227; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kovter variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept";
http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbdd
ecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity;
sid:33228; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Upatre variant outbound connection";
flow:to_server,established; content:"/js/jquery-"; fast_pattern;
http_uri; content:".js?"; within:15; distance:1; http_uri;
pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi"; content:"Referer|3A
20|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d0
4dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojanactivity; sid:33282; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; content:"/r1xpr/r1xe.html";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527
a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity;
sid:33443; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.SpyBanker variant outbound connection";
flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db
692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity;
sid:33444; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FileEncoder IP geolocation checkin attempt";
flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|
0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT
5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR
3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|CacheControl: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6
0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity;
sid:33449; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.FileEncoder variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"=";
depth:2; http_client_body; content:"Content-Length: 128|0D 0A|";
fast_pattern:only; http_header; content:"Content-Type: application/x-wwwform-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|";
http_header; content:!"Accept-Language:"; http_header; pcre:"/[az]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6
0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity;
sid:33450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS
Win.Toolbar.Crossrider variant outbound connection";
flow:to_server,established; content:".gif?action="; http_uri;
content:"&browser="; distance:0; http_uri; content:"&osbuild=";
distance:0; http_uri; content:"&osprod="; distance:0; http_uri;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d8705
07b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity;
sid:33452; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Kovter variant outbound connection";
flow:to_server,established; urilen:13; content:"POST"; http_method;
content:"/12/index.php"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like
Gecko|0D 0A|"; http_header; content:!"Accept"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9
acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojanactivity; sid:33453; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; content:"GET"; http_method; content:"UserAgent: http://www.pershop.com.br/"; fast_pattern:only; http_header;
content:".php"; http_uri; content:!"Referer:"; http_header;
content:!"Accept-"; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06
b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity;
sid:33457; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user agent - ALIZER";
flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9
038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity;
sid:33519; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Zusy inbound CNC response"; flow:to_client,established;
file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern;
content:"] => "; within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[az\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9
038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity;
sid:33520; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"&pcname="; fast_pattern:only; http_client_body; content:"hwid=";
depth:5; http_client_body; content:"&mode="; within:50; http_client_body;
content:"&system="; within:32; http_client_body; content:"&version=";
within:60; http_client_body; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9
038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity;
sid:33521; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user-agent - DNS Changer";
flow:to_server,established; content:"User-Agent|3A 20|DNS Check|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa934
3ac4f890f0228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bd
b18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity;
sid:33522; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DNSChanger variant outbound connection";
flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc
(Mozilla)|0D 0A|"; fast_pattern:only; http_header;
content:"/postinstall.php?"; http_uri; content:"src="; within:5;
http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa934
3ac4f890f0228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bd
b18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity;
sid:33523; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.DNSChanger variant outbound connection";
flow:to_server,established; content:"/updateb.xml?"; fast_pattern:only;
http_uri; content:"rnd="; http_uri; content:"&spfail="; within:20;
http_uri; content:"&guid="; within:15; http_uri; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
community, service http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa934
3ac4f890f0228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bd
b18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity;
sid:33524; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Turla outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"?uid="; http_uri;
content:"&context="; distance:0; http_uri; content:"&mode=text";
distance:0; fast_pattern; http_uri; content:"&data="; distance:0;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f666
6f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity;
sid:33547; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain tracking-recipient.net46.net - Win.Cossta";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|tracking-recipient|
05|net46|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
dns;
reference:url,www.virustotal.com/en/file/cdaa661e2b5913997f4d905e0490bd8d
9069a0c9f90a13944d5d3e1d6d1f2089/analysis/; classtype:trojan-activity;
sid:33560; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection attempt";
flow:to_server,established; urilen:<64; content:"GET"; http_method;
content:"/check.action?iid="; http_uri; content:"&kernel="; within:8;
distance:32; http_uri; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a1
28b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity;
sid:33646; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection attempt";
flow:to_server,established; urilen:>100; content:"POST"; http_method;
content:"/submit.action?username="; http_uri; content:"&password=";
within:30; http_uri; content:".tgz"; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a1
28b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity;
sid:33647; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Linux.Trojan.XORDDoS outbound connection attempt";
flow:to_server,established; urilen:>100; content:"GET"; http_method;
content:"/compiler.action?iid="; http_uri; content:"&username=";
within:10; distance:32; http_uri; content:"&password="; within:30;
distance:1; http_uri; content:"&kernel="; distance:0; http_uri;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a1
28b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity;
sid:33648; rev:1;)
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
422422422422422422422422422422422422422422422422422422422422422422422422c
ommunityrules/AUTHORS42
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422000064442200022724220002272422000000132234221251554013742201555
6422
042
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
422422ustar
422vrtbuild42242242242242242242242242242242242242242242242242242242242242
2422422422vrtbuild4224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422## This file
contains the information about the authors of the Community ruleset.
## Each author will be listed and the SIDs associated with those authors
are listed underneath their names
## The VRT would like to thank each author for contributing to the
ruleset.
## To contribute to this ruleset, please email research [] sourcefire.com
Jason Wallace
21246
21255
21256
21257
21267
21442
21266
21818
21819
21820
21821
21822
21823
21824
21825
21826
21827
21828
21829
21830
21831
21832
21833
21834
21835
21836
21837
21838
21839
21840
21841
21842
21843
21475
Nick Randolph
21327
Nathan Fowler
21375
21417
21438
24226
24227
21562
26814
26576
26577
26618
26838
26948
26947
26949
26950
26951
26985
27085
27086
27087
27088
31455
Frederick Stankowski
21443
21444
Eoin Miller
21845
21846
21847
21848
21849
21850
21851
22061
Alexandre Menezes
22957
22958
22959
22960
24031
24032
24033
24034
26916
26917
26918
26919
26920
29761
29762
29763
29763
29764
29765
29766
29767
29768
29769
29770
29771
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781
29832
29833
29834
29835
29836
29837
29838
29839
29840
29841
29842
29843
29844
29845
29846
29847
29848
29849
29850
29851
29852
29853
29854
29855
29856
29857
29858
James Lay
23179
24017
24171
24102
24225
24265
24251
24265
24253
24254
24598
25948
26380
26381
26382
26467
26483
26522
26585
26655
26656
26658
26659
26698
26719
26720
26725
26726
26727
26728
26729
26730
26731
26732
26733
26734
26735
26736
26737
26738
26739
26740
26741
26742
26743
26744
26745
26746
26747
26748
26749
26750
26810
26834
26837
26839
26948
26947
26949
26950
26951
26965
27039
27040
27041
27042
27047
27144
27145
27203
27599
27726
27727
27728
28007
28008
28009
28010
28011
28079
28215
29816
29817
29829
29830
29831
30065
30066
30549
31293
33513
Brett Caldwell
23481
23482
23621
23795
23636
Avery Tarasov
24255
25809
24798
24885
24886
25050
25119
25224
25256
25258
25259
25269
25271
25277
25471
25503
25504
25511
25577
25578
25579
25580
25627
25652
25660
25675
25765
25766
25807
25829
25854
25946
25947
25949
26023
26024
26075
26106
26211
26212
26264
26265
26286
26287
26288
26289
25054
25257
26319
26325
26327
26335
26370
26371
26398
26470
26480
26481
26482
26533
26560
26561
26562
26563
26580
26581
26582
26583
26589
26612
26613
26614
26654
26657
26660
26696
26697
26718
26722
26723
26752
26762
26774
26775
26776
26779
26780
26781
26782
26811
26812
26835
26836
26910
26911
26912
26913
26914
26915
26924
26966
26968
26969
26970
26971
26984
27017
27043
27044
27045
27146
27155
27180
27181
27199
27200
27201
27202
27204
27247
27248
27252
27253
27254
27255
27256
27257
27533
27534
27535
27537
27538
27566
27596
27632
27633
27648
27649
27680
27774
27775
27865
27918
27919
27965
28004
28012
28080
28114
28115
28116
28117
28118
28119
28120
28121
28122
28123
28147
28148
28152
28153
28154
28155
28156
28192
28193
28255
28285
28293
28294
28295
28296
28297
28302
28404
28405
28406
28445
28446
28541
28542
28543
28044
28540
28800
28801
28802
28803
28804
28805
28806
28807
28539
28809
28810
28814
28815
28918
28919
28945
28959
28960
28976
28977
29030
29031
29167
29126
29127
29216
29217
29220
29259
29260
29261
29262
29263
29300
29349
29395
29664
29665
29824
29825
29826
29827
29828
29832
29833
29862
29863
29865
29875
29882
29884
29891
29894
29895
29897
30067
30068
30091
30234
30255
30256
30257
30258
30259
30260
30261
30262
30543
30544
30545
30546
30547
30548
30550
30551
30552
30567
30568
30569
30570
30914
30915
30918
30919
30949
30997
30998
30999
31000
31001
31034
31035
31036
31221
31222
31262
31294
31295
31315
31112
31113
31243
31244
31260
31261
31442
31452
31453
31454
31456
31457
31458
31463
31464
31465
31466
31467
31468
31472
31530
31507
31680
31681
31682
31683
31639
31640
31641
31642
31649
31820
31824
31825
31826
31827
31829
31916
31917
31918
31919
31920
31921
31922
31923
31924
31964
31973
31990
31991
32008
32130
32196
32225
32367
32374
32385
32531
32583
32584
32604
32605
32606
32607
32608
32852
32853
32888
33212
33219
33224
33227
33228
33443
33444
33449
33450
33453
33457
33519
33520
33560
33649
Randy Miller
25518
25519
25520
25521
25522
25523
25524
25525
Joerg Weber
26020
Yaser Mansour
26395
26396
26399
26400
26401
26402
26403
26404
26405
26406
26407
26408
26409
26411
26412
26413
26553
26554
26555
26556
27567
27625
27626
27627
27628
27629
27630
27631
27707
27708
27801
27802
27803
27804
27913
27914
27915
27916
27917
28005
28006
28033
28034
28035
28036
28042
28105
28106
28107
28300
28552
28553
28554
28555
28556
28557
28940
28950
28951
28952
28953
28954
29492
29493
29494
29567
29568
29569
29666
29864
30069
30070
30071
30072
30288
30795
30796
30824
30825
30826
30827
30828
30829
30830
30831
30832
30833
30834
30835
30836
30837
30838
30839
30840
30841
30842
31053
31070
31084
31531
31593
31600
31601
31602
31603
31604
31605
31606
31607
31830
31831
31965
31966
31967
31968
31969
31970
31971
31972
32065
32066
32067
32776
32823
32824
32825
32826
32827
32956
32957
32958
33207
33220
33221
33222
33223
32976
32977
33281
33282
33522
33523
33524
33547
33646
33647
33648
33650
33677
33678
33815
33816
33818
33819
33820
33821
33822
34137
34144
34145
34146
rmkml
26468
26469
Eddie Mitchell
26526
26578
26579
Dell SecureWorks
26558
Hank Leininger
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
Paul Bottomley
26695
26923
27246
27565
27805
Christopher Hall
26842
Brandon Kendall
26925
Adam Gardner
27865
Nick Mavis
28344
31455
Caleb Jaren, Microsoft
28913
Tony Robinson
29760
29788
29789
29790
29791
29761
29762
29763
29763
29764
29765
29766
29767
29768
29769
29770
29771
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781
32665
32666
32667
32670
BAE
30191
Red Sky Alliance
33047
33058
33059
33060
43943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
39439439439439439439439439439439439439439439439439439439439439439439commu
nityrules/LICENSE43
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439000064443900022724390002272439000000354274391212221774343901552
3439
043
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
439439ustar
439vrtbuild43943943943943943943943943943943943943943943943943943943943943
9439439439vrtbuild4394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439
GNU
GENERAL PUBLIC LICENSE
Version 2, June 1991
modification follow.
url,technet.microsoft.com/en-us/security/bulletin/MS00-028 ||
url,technet.microsoft.com/en-us/security/bulletin/MS00-060
1008 || SERVER-IIS del attempt
1009 || SERVER-IIS directory listing || nessus,10573
1010 || SERVER-IIS encoding access || bugtraq,886 || cve,2000-0024 ||
url,technet.microsoft.com/en-us/security/bulletin/MS99-061
1011 || SERVER-IIS exec-src access
1012 || SERVER-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376
1013 || SERVER-IIS fpcount access || bugtraq,2252 || cve,1999-1376
1015 || SERVER-IIS getdrvs.exe access
1016 || SERVER-IIS global.asa access || cve,2000-0778 || cve,2001-0004 ||
nessus,10491 || nessus,10991 || url,technet.microsoft.com/enus/security/bulletin/ms01-004
1017 || SERVER-IIS idc-srch attempt || cve,1999-0874
1018 || SERVER-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 ||
nessus,10371
1019 || SERVER-IIS Malformed Hit-Highlighting Argument File Access
Attempt || bugtraq,950 || cve,2000-0097 || url,technet.microsoft.com/enus/security/bulletin/ms00-006 ||
url,www.securityfocus.com/archive/1/43762
1020 || SERVER-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 ||
nessus,10116
1021 || SERVER-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 ||
nessus,10680 || url,technet.microsoft.com/en-us/security/bulletin/MS00031
1022 || SERVER-IIS jet vba access || bugtraq,286 || cve,1999-0874 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-030
1023 || SERVER-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 ||
nessus,10357 || url,technet.microsoft.com/en-us/security/bulletin/ms99025
1024 || SERVER-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 ||
nessus,10360
1025 || SERVER-IIS perl access
1026 || SERVER-IIS perl-browse newline attempt || bugtraq,6833 ||
cve,2003-1365
1027 || SERVER-IIS perl-browse space attempt || bugtraq,6833 || cve,20031365
1028 || SERVER-IIS query.asp access || bugtraq,193 || cve,1999-0449
1029 || SERVER-IIS scripts-browse access || nessus,11032
1030 || SERVER-IIS search97.vts access || bugtraq,162
1031 || SERVER-IIS /SiteServer/Publishing/viewcode.asp access ||
nessus,10576
1032 || SERVER-IIS showcode access || cve,1999-0737 || nessus,10576 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-013
1033 || SERVER-IIS viewcode access || cve,1999-0737 || nessus,10576 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-013
1034 || SERVER-IIS viewcode access || cve,1999-0737 || nessus,10576 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-013
1035 || SERVER-IIS viewcode access || cve,1999-0737 || nessus,10576 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-013
1036 || SERVER-IIS viewcode access || cve,1999-0737 || nessus,10576 ||
url,technet.microsoft.com/en-us/security/bulletin/ms99-013
url,technet.microsoft.com/en-us/security/bulletin/MS04-045 ||
url,www.immunitysec.com/downloads/instantanea.pdf
3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor
attempt || cve,2004-1154
3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor
attempt || cve,2004-1154
3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security
Descriptor attempt || cve,2004-1154
3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security
Descriptor attempt || cve,2004-1154
3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor
attempt || cve,2004-1154
3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security
Descriptor attempt || cve,2004-1154
3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security
Descriptor attempt || cve,2004-1154
3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security
Descriptor attempt || cve,2004-1154
3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,20041154
3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt ||
cve,2004-1154
3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt ||
cve,2004-1154
3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt
|| cve,2004-1154
3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt ||
cve,2004-1154
3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt ||
cve,2004-1154
3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt
|| cve,2004-1154
3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow
attempt || cve,2004-1154
3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,20041154
3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt ||
cve,2004-1154
3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt ||
cve,2004-1154
3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt
|| cve,2004-1154
3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt ||
cve,2004-1154
3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt ||
cve,2004-1154
3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt
|| cve,2004-1154
3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow
attempt || cve,2004-1154
3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos
attempt
3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size
dos attempt
3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
attempt
3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size
dos attempt
3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace
size dos attempt
3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos
attempt
3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size
dos attempt
3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
attempt
3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size
dos attempt
3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace
size dos attempt
3058 || PROTOCOL-IMAP copy literal overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
3061 || APP-DETECT distccd remote command execution attempt ||
url,distcc.samba.org/security.html
3062 || SERVER-WEBAPP NetScreen SA 5000 delhomepage.cgi access ||
bugtraq,9791 || cve,2004-0347
3063 || MALWARE-BACKDOOR Vampire 1.2 connection request
3064 || MALWARE-BACKDOOR Vampire 1.2 connection confirmation
3065 || PROTOCOL-IMAP append literal overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3066 || PROTOCOL-IMAP append overflow attempt || bugtraq,11775 ||
bugtraq,21729 || cve,2004-1211 || cve,2006-6425 || nessus,15867
3067 || PROTOCOL-IMAP examine literal overflow attempt || bugtraq,11775
|| cve,2004-1211 || nessus,15867
3069 || PROTOCOL-IMAP fetch literal overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3070 || PROTOCOL-IMAP fetch overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3071 || PROTOCOL-IMAP status literal overflow attempt || bugtraq,11775 ||
bugtraq,15491 || cve,2004-1211 || nessus,15867
3072 || PROTOCOL-IMAP status overflow attempt || bugtraq,11775 ||
bugtraq,13727 || bugtraq,14243 || bugtraq,15491 || cve,2004-1211 ||
cve,2005-1256 || cve,2005-2278 || cve,2005-3314 || nessus,15867
3073 || PROTOCOL-IMAP SUBSCRIBE literal overflow attempt || bugtraq,11775
|| bugtraq,15488 || bugtraq,23050 || bugtraq,26219 || cve,2004-1211 ||
cve,2005-3189 || cve,2007-3510 || nessus,15867
nessus,11595 || url,technet.microsoft.com/en-us/security/bulletin/MS03017
3193 || SERVER-IIS .cmd executable file parsing attack || bugtraq,1912 ||
cve,2000-0886
3194 || SERVER-IIS .bat executable file parsing attack || bugtraq,1912 ||
cve,2000-0886
3195 || OS-WINDOWS name query overflow attempt TCP || bugtraq,9624 ||
cve,2003-0825 || nessus,15912 || url,technet.microsoft.com/enus/security/bulletin/ms04-006
3196 || OS-WINDOWS name query overflow attempt UDP || bugtraq,9624 ||
cve,2003-0825 || nessus,15912 || url,technet.microsoft.com/enus/security/bulletin/ms04-006
3199 || OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP
|| bugtraq,9624 || cve,2003-0825 || nessus,15912 ||
url,technet.microsoft.com/en-us/security/bulletin/MS04-006
3200 || OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP
|| bugtraq,9624 || cve,2003-0825 || nessus,15912 ||
url,technet.microsoft.com/en-us/security/bulletin/MS04-006
3201 || SERVER-IIS httpodbc.dll access - nimda || bugtraq,2708 ||
cve,2001-0333
3218 || OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt ||
bugtraq,1331 || cve,2000-0377 || url,technet.microsoft.com/enus/security/bulletin/ms00-040
3234 || OS-WINDOWS Messenger message little endian overflow attempt ||
bugtraq,8826 || cve,2003-0717
3235 || OS-WINDOWS Messenger message overflow attempt || bugtraq,8826 ||
cve,2003-0717
3238 || OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow
attempt || bugtraq,6005 || cve,2002-1561 || url,technet.microsoft.com/enus/security/bulletin/ms03-010
3239 || OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow
attempt || bugtraq,6005 || cve,2002-1561 || url,technet.microsoft.com/enus/security/bulletin/ms03-010
3273 || SQL sa brute force failed login unicode attempt || bugtraq,4797
|| cve,2000-1209 || nessus,10673
3274 || PROTOCOL-TELNET login buffer non-evasive overflow attempt ||
bugtraq,3681 || cve,2001-0797 || nessus,10827
3397 || OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
RemoteCreateInstance attempt || bugtraq,8205 || cve,2003-0352 ||
cve,2003-0715 || url,technet.microsoft.com/en-us/security/bulletin/MS03026 || url,technet.microsoft.com/en-us/security/bulletin/MS03-039
3398 || OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator
RemoteCreateInstance attempt || bugtraq,8205 || cve,2003-0352 ||
cve,2003-0715 || url,technet.microsoft.com/en-us/security/bulletin/MS03026 || url,technet.microsoft.com/en-us/security/bulletin/MS03-039
3409 || OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation
overflow attempt || bugtraq,8205 || cve,2003-0352 || cve,2003-0528 ||
cve,2003-0715 || url,technet.microsoft.com/en-us/security/bulletin/MS03026 || url,technet.microsoft.com/en-us/security/bulletin/MS03-039
3441 || PROTOCOL-FTP PORT bounce attempt || bugtraq,126 || cve,1999-0017
|| nessus,10081
3442 || OS-WINDOWS Microsoft Windows TCP print service overflow attempt
|| bugtraq,1082 || cve,2000-0232 || url,technet.microsoft.com/enus/security/bulletin/MS00-021
url,www.nartv.org/tag/tds/ || url,xylibox.blogspot.com/2011/12/sutra-tdsv34.html
21849 || MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS
|| url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js ||
url,www.nartv.org/tag/tds/ || url,xylibox.blogspot.com/2011/12/sutra-tdsv34.html
21850 || MALWARE-OTHER TDS Sutra - request hi.cgi ||
url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js ||
url,www.nartv.org/tag/tds/ || url,xylibox.blogspot.com/2011/12/sutra-tdsv34.html
21851 || MALWARE-OTHER TDS Sutra - redirect received ||
url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js ||
url,www.nartv.org/tag/tds/ || url,xylibox.blogspot.com/2011/12/sutra-tdsv34.html
22061 || MALWARE-OTHER Alureon - Malicious IFRAME load attempt
22063 || SERVER-WEBAPP PHP-CGI remote file include attempt || cve,20121823 || cve,2012-2311 || cve,2012-2335 || cve,2012-2336
22957 || BLACKLIST DNS request for known malware domain murik.portalprotection.net.ru - Mal/Rimecud-R || url,www.sophos.com/en-us/threatcenter/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailedanalysis.aspx
22958 || BLACKLIST DNS request for known malware domain
slade.safehousenumber.com - Mal/Rimecud-R || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Mal~RimecudR/detailed-analysis.aspx
22959 || BLACKLIST DNS request for known malware domain
world.rickstudio.ru - Mal/Rimecud-R || url,www.sophos.com/en-us/threatcenter/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailedanalysis.aspx
22960 || BLACKLIST DNS request for known malware domain
portal.roomshowerbord.com - Mal/EncPk-ADU ||
url,www.threatexpert.com/report.aspx?md5=d3d6f87d8f8e3dd5c2793d5a1d3ca7ca
23179 || INDICATOR-COMPROMISE script before DOCTYPE possible malicious
redirect attempt
23481 || INDICATOR-OBFUSCATION hex escaped characters in setTimeout call
23482 || INDICATOR-OBFUSCATION hex escaped characters in addEventListener
call
23492 || MALWARE-CNC Win.Trojan.ZeroAccess outbound communication ||
url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407
d9a90703047e7db7ff9/analysis/
23621 || INDICATOR-OBFUSCATION known packer routine with secondary
obfuscation || url,dean.edwards.name/packer/
23636 || INDICATOR-OBFUSCATION JavaScript built-in function parseInt
appears obfuscated - likely packer or encoder ||
url,labs.snort.org/docs/23636.txt
24015 || MALWARE-CNC Win.Trojan.Magania variant outbound connection ||
url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-ipinkstats.html ||
url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a
6c77b9b0862be8bdb71/analysis/
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
26287 || APP-DETECT Absolute Software Computrace outbound connection search.namequery.com ||
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
26288 || MALWARE-CNC Brontok Worm variant outbound connection ||
url,www.securelist.com/en/descriptions/10286064/EmailWorm.Win32.Brontok.rf?print_mode=1
26289 || MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port ||
url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e7
4bcc1c43f8050242d53/analysis/1359999907/
26319 || MALWARE-CNC file path used as User-Agent - potential Trojan ||
url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b8
4708a355f7c46b358fa375/analysis/
26325 || MALWARE-CNC Win.Trojan.Scar variant outbound connection ||
url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5
704c8174944ee8b901abec/analysis/
26327 || MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection ||
url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATI
ON/23000%2FPD23747/en_US/Threat_Advisory_OSX_Flashfake.pdf
26335 || MALWARE-CNC FBI Ransom Trojan variant outbound connection
26370 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection ksa.txt ||
url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/
26371 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op
POST ||
url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/
26380 || MALWARE-OTHER UTF-8 BOM in zip file attachment detected ||
url,blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zipsignature-to-evade-detection
26381 || MALWARE-OTHER UTF-8 BOM in zip file attachment detected ||
url,blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zipsignature-to-evade-detection
26382 || MALWARE-OTHER UTF-8 BOM in zip file attachment detected ||
url,blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zipsignature-to-evade-detection
26395 || APP-DETECT Ufasoft bitcoin miner possible data upload ||
url,ufasoft.com/open/bitcoin/
26396 || BLACKLIST DNS request for known malware domain
suppp.cantvenlinea.biz - Bitcoin Miner upload
26398 || MALWARE-CNC Win.Trojan.Gamarue variant outbound connection ||
url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf484
75272df5b60edf556e4299/analysis/
26399 || BLACKLIST DNS request for known malware domain f.eastmoon.pl Win.Trojan.Dorkbot
26400 || BLACKLIST DNS request for known malware domain s.richlab.pl Win.Trojan.Dorkbot
26401 || BLACKLIST DNS request for known malware domain gigasbh.org Win.Trojan.Dorkbot
26402 || BLACKLIST DNS request for known malware domain xixbh.com Win.Trojan.Dorkbot
26403 || BLACKLIST DNS request for known malware domain h.opennews.su Win.Trojan.Dorkbot
26404 || BLACKLIST DNS request for known malware domain o.dailyradio.su Win.Trojan.Dorkbot
26405 || BLACKLIST DNS request for known malware domain xixbh.net Win.Trojan.Dorkbot
26406 || BLACKLIST DNS request for known malware domain photobeat.su Win.Trojan.Dorkbot
26407 || BLACKLIST DNS request for known malware domain uranus.kei.su Win.Trojan.Dorkbot
26408 || BLACKLIST DNS request for known malware domain gigasphere.su Win.Trojan.Dorkbot
26409 || BLACKLIST DNS request for known malware domain ext.myshopers.com
- Win.Trojan.Dorkbot
26410 || INDICATOR-COMPROMISE IP address check to j.maxmind.com detected
26411 || MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt
SMB
26412 || MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation
attempt SMB
26413 || MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation
attempt SMB
26467 || MALWARE-CNC Win.Trojan.Magic variant inbound connection ||
url,www.seculert.com/blog/2013/04/magic-persistent-threat.html
26468 || SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header
injection on blobheadername2 attempt || cve,2013-1509 ||
url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
26469 || SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header
injection on blobheadername2 attempt || cve,2013-1509 ||
url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
26470 || MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP
Response - potential malware download ||
url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef66658
1ef1385c628233614b22c0/analysis/
26480 || MALWARE-CNC Win.Trojan.Zbot fake PNG config file download
without User-Agent
26482 || MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C ||
url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen
%20desc&review=95.57.120.111
26483 || SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS
attempt || url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-fieldxss-attacks.html
26522 || BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB ||
url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attackcampaign-hides-behind-ssl-communication/
26526 || EXPLOIT-KIT Portable Executable downloaded with bad DOS stub ||
cve,2013-2423 || url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423via-new-and-improved-cool-ek/
26528 || INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt ||
url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-basedservers.html ||
url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd
53b174481d540070c6/analysis/
url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270
900956d30658e1dcec4b44/analysis/1367863560/
26585 || INDICATOR-COMPROMISE config.inc.php in iframe ||
url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploitkit-following-the-cookie-trail.html
26589 || BLACKLIST DNS request for known malware domain
theimageparlour.net - Vobfus worm ||
url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85
e186d66338399305e594d4/analysis/
26612 || BLACKLIST DNS request for known malware domain
ppcfeedadvertising.com
26613 || MALWARE-CNC Medfos Trojan variant outbound connection ||
url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56
796306842c7b50b553ae11/analysis/
26614 || BLACKLIST DNS request for known malware domain ppcfeedclick.com
26654 || BLACKLIST DNS request for known malware domain www2.x3x4.su backdoor trojan ||
url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b9
7f49ecb22f86531fb0b7de/analysis/
26655 || MALWARE-BACKDOOR Win.Backdoor.PCRat data upload ||
url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA092
30DC285AE66CA0C9B7247B/analysis/
26656 || MALWARE-CNC Win.Trojan.Travnet Botnet data upload ||
url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC1
0D96CA51ECF9CF227B94E8/analysis/
26657 || MALWARE-CNC Win.Trojan.Shiz variant outbound connection ||
url,camas.comodo.com/cgi-bin/submit?
file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6 ||
url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb652
8fca61227b22681ac838e6/analysis/1368563326/
26658 || BROWSER-WEBKIT Possible Google Chrome Plugin install from nontrusted source ||
url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extensionhijacks-facebook-profiles.aspx
26659 || BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from
non-Mozilla source || url,research.zscaler.com/2012/09/how-to-installsilently-malicious.html
26660 || MALWARE-OTHER Fake delivery information phishing attack
26695 || MALWARE-CNC Win.Trojan.Namihno variant outbound request
26696 || MALWARE-CNC Cbeplay Ransomware variant outbound connection Abnormal HTTP Headers || url,malware.dontneedcoffee.com/2013/02/cbeplaypnow-target-australia-and-moved.html
26697 || MALWARE-CNC Cbeplay Ransomware variant outbound connection POST Body || url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-targetaustralia-and-moved.html
26698 || MALWARE-OTHER Compromised Website response - leads to Exploit
Kit || url,www.jsunpack.jeek.org/?
report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f
26712 || MALWARE-CNC Kazy Trojan check-in || url,camas.comodo.com/cgibin/submit?
file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157
26713 || MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic ||
url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-indelphi
26915 || BLACKLIST DNS request for known malware domain zalil.ru - Kazy
Trojan || url,mwanalysis.org/?
page=report&analysisid=2156195&password=ykndnbluja ||
url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a92
8dcaada0348b08db2d1f94/analysis/
26916 || BLACKLIST DNS request for known malware domain soywey.sin-ip.es
- Palevo Botnet ||
url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde
9fa8dded755d9fd54c4dae/analysis/
26917 || BLACKLIST DNS request for known malware domain
bigmack.opendns.be - Palevo Botnet ||
url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3
26918 || BLACKLIST DNS request for known malware domain
trafficconverter.biz - ChronoPay ||
url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331
26919 || BLACKLIST DNS request for known malware domain
kjwre9fqwieluoi.info - W32.Sality ||
url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a
26920 || BLACKLIST DNS request for known malware domain
kukutrustnet777.info - W32.Sality ||
url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a
26923 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection
26924 || MALWARE-CNC Potential Gozi Trojan HTTP Header Structure
26925 || SQL generic convert injection attempt - GET parameter ||
url,www.securiteam.com/securityreviews/5DP0N1P76E.html
26947 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java
exploit download || cve,2013-2423 ||
url,www.basemont.com/new_exploit_kit_june_2013
26948 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java
exploit download || cve,2013-1493 ||
url,www.basemont.com/new_exploit_kit_june_2013
26949 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page
|| url,www.basemont.com/new_exploit_kit_june_2013
26950 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess
download attempt || cve,2013-1493 || cve,2013-2423 ||
url,www.basemont.com/new_exploit_kit_june_2013 ||
url,www.malwaresigs.com/2013/06/14/dotcachef/
26951 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising
Campaign URI request ||
url,research.zscaler.com/2013/06/openxadvertisingcom-massmalvertising.html
26965 || MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2 ||
url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured
26966 || MALWARE-CNC Win32/Autorun.JN variant outbound connection ||
url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
Name=Worm%3AWin32%2FAutorun.JN ||
url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29e
a3d7424dd9f400af2c0f06/analysis/
26968 || MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data ||
url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/
26969 || MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL ||
url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/
27144 || EXPLOIT-KIT Private exploit kit outbound traffic || cve,20060003 || cve,2010-0188 || cve,2011-3544 || cve,2013-1347 || cve,2013-1493
|| cve,2013-2423 || url,malwageddon.blogspot.com/2013/07/unknown-ek-wellhey-hey-i-wanna-be.html || url,malware.dontneedcoffee.com/2013/07/pepnew-bep.html || url,www.malwaresigs.com/2013/07/03/another-unknown-ek
27146 || BLACKLIST DNS request for known malware domain scari-elegante.ro
- Yakes Trojan ||
url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c987
35814834334ccc03e4da3c/analysis/
27155 || BLACKLIST DNS request for known malware domain
myharlemshake.info - MSIL Trojan || url,mwanalysis.org/?
page=report&analysisid=2178740&password=nxbjmzykzt ||
url,www.virustotal.com/en/file/16534fea6ec534249b0a14a497f82f5c7b4b8f2b00
5e965c24816365ce062318/analysis/
27180 || BLACKLIST DNS request for known malware domain twinkcam.net W32/Kryptik || url,threatpost.com/nsa-whistleblower-article-redirects-tomalware ||
url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899
638f4318c09eaa56401821/analysis/1373466967/
27181 || BLACKLIST DNS request for known malware domain cinnamyn.com W32/Kryptik || url,threatpost.com/nsa-whistleblower-article-redirects-tomalware ||
url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899
638f4318c09eaa56401821/analysis/1373466967/
27199 || MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET
Request ||
url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/
27200 || MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST
Request ||
url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/
27201 || MALWARE-CNC Win.Trojan.Neurevt variant outbound communication
27203 || INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2
traffic || url,blog.sucuri.net/2013/06/apache-php-injection-tojavascript-files.html
27204 || MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser
Proxy Autoconfig File
27246 || MALWARE-OTHER Mac OSX FBI ransomware ||
url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-nowtargeting-apples-mac-os-x-users/
27247 || BLACKLIST DNS request for known malware domain restless.su Gamarue Trojan ||
url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e
8b3a4194f7d248f15ca515/analysis/
27248 || MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent ||
url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e
8b3a4194f7d248f15ca515/analysis/
27252 || MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound
connection
27253 || MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern ||
url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e
6751621f921ca53cc7e421/analysis/
28118 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /login.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28119 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /search.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28120 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /start.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28121 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /welcome.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28122 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /index.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28123 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /setup.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28147 || MALWARE-CNC Win.Trojan.Conficker variant connection ||
url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4
d3824559c81a50999cc2a5/analysis/
28148 || MALWARE-CNC Win.Trojan.Mevade variant outbound connection ||
url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b69
6b6a06889ed52751b39f54/analysis/
28152 || BLACKLIST DNS request for known malware domain
kievandmoskaustt.in ||
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
28153 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection /html2/ ||
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
28154 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection MSIE 7.1 ||
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
28155 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection MSIE 7.2 ||
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
28156 || PUA-ADWARE Linkury outbound time check ||
url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed
4adfb28ad1a308a0d1bade/analysis/1380219003/
28192 || MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL ||
url,urlquery.net/report.php?id=5117077 ||
url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-webservers/
28193 || BLACKLIST DNS request for known malware domain- Win.Vobfus worm
variant ||
url,www.virustotal.com/en/file/451318847bae50e855299a1878d9cbd74e7467bfff
8df396e886732254fc3ade/analysis/1380827494/
28215 || SERVER-WEBAPP vBulletin upgrade.php exploit attempt ||
url,www.net-security.org/secworld.php?id=15743
28233 || EXPLOIT-KIT Blackholev2/Cool exploit kit payload download
attempt
28242 || MALWARE-CNC Win.Trojan.KanKan variant connection ||
url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a291256613
0ea512b25639b3f95e94c4/analysis/
28255 || MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL ||
url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=201310-01&end=2013-10-16&max=50 ||
url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea31
74ea9d4398ad2048205c42/analysis/
28285 || MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2 ||
url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c
05af1d9ea768ef992cb489/analysis/1381870348/ ||
url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a5
85689618dde3f4c6fcb101/analysis/
28291 || EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download
attempt
28293 || BLACKLIST DNS request www.xiaopijia.com - Backdoor.Yaddos ||
url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916
683db4a8fa0e9c6ee512d7/analysis/
28294 || BLACKLIST DNS request www.akwm139.com - Backdoor.Yaddos ||
url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916
683db4a8fa0e9c6ee512d7/analysis/
28295 || BLACKLIST DNS request www.1860tour.com - Backdoor.Yaddos ||
url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916
683db4a8fa0e9c6ee512d7/analysis/
28296 || BLACKLIST DNS request ghjgf.info - Backdoor.Yaddos ||
url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916
683db4a8fa0e9c6ee512d7/analysis/
28297 || BLACKLIST DNS request for known malware domain handjobheats.com
- Win.Trojan.Injector ||
url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD02
46F17BC921E3ADB7F36F42/analysis/
28300 || MALWARE-CNC Win.Trojan.Agent variant connection ||
url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee
3524983ec6962b4061813c/analysis/1381409595/
28323 || MALWARE-CNC Win.Backdoor.Chopper web shell connection ||
url,informationonsecurity.blogspot.com/2012/11/china-chopperwebshell.html || url,www.fireeye.com/blog/technical/botnet-activitiesresearch/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html ||
url,www.fireeye.com/blog/technical/botnet-activitiesresearch/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
||
url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/
28324 || PUA-ADWARE FakeAV runtime detection
28344 || INDICATOR-OBFUSCATION large number of calls to chr function possible sql injection obfuscation || url,isc.sans.org/diary.html?
storyid=3823
28345 || INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in
IFRAMEr Tool attack
28346 || INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr
Tool attack
28404 || BLACKLIST DNS request for known malware domain goobzo.com - Kazy
Trojan ||
url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/
28405 || MALWARE-CNC Win.Trojan.Kazy variant outbound connection ||
url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/
28406 || MALWARE-CNC Win.Trojan.Kazy variant outbound connection ||
url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/
28420 || INDICATOR-OBFUSCATION Javascript obfuscation - createElement seen in IFRAMEr Tool attack
28421 || INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode seen in IFRAMEr Tool attack
28428 || EXPLOIT-KIT Glazunov exploit kit landing page || cve,2013-2471
|| url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunovdigging-further-into-sibhost-and-flimkit/
28429 || EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt
|| cve,2013-2471 || url,nakedsecurity.sophos.com/2013/07/02/the-fourseasons-of-glazunov-digging-further-into-sibhost-and-flimkit/
28430 || EXPLOIT-KIT Glazunov exploit kit zip file download || cve,20132471 || url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-ofglazunov-digging-further-into-sibhost-and-flimkit/
28445 || BLACKLIST DNS request for known malware domain
mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan ||
url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/
28446 || MALWARE-CNC Win.Trojan.Symmi variant SQL check-in ||
url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/
28450 || EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt
28493 || MALWARE-CNC DeputyDog diskless method outbound connection ||
cve,2013-3918 || url,technet.microsoft.com/en-us/security/bulletin/MS13090
28538 || MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection ||
url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-newencryption-scheme.html ||
url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe7
14fc586b82a19444727a54/analysis/
28539 || BLACKLIST DNS request for known malware domain lovesyr.sytes.net
- Win.Worm Dunhihi ||
url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89c86662bad9
201913c5317f6e3e7841d9/analysis/
28540 || BLACKLIST DNS request for known malware domain dkxszh.org ||
url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b135947823c91a71
2bb1c3e289168c973a6ce0/analysis/
url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/
28815 || MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound
connection ||
url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/
28852 || BLACKLIST User-Agent known malicious user-agent string Zollard
||
url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd6
2f74e0f4c33d85bce08ada/analysis/
28859 || BLACKLIST User-Agent known malicious user-agent z00sAgent Win.Trojan.Zbot ||
url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5
873dad08351309e13af9e5/analysis/1383673331/
28913 || MALWARE-BACKDOOR Zollard variant outbound connection attempt ||
url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-ofthings.html
28918 || MALWARE-CNC Win.Trojan.Symmi variant network connectivity check
||
url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/
28919 || MALWARE-CNC Win.Trojan.Symmi variant network connectivity check
||
url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c
2e3ba481254edc65b30b89/analysis/
28930 || MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection
28938 || BLACKLIST DNS request for known malware domain
appropriations.co.cc
28939 || BLACKLIST DNS request for known malware domain
havingbeothers.co.cc
28940 || MALWARE-CNC Win.Trojan.Rovnix malicious download ||
url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/1
7180 || url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-stepof-evolution/
28945 || INDICATOR-COMPROMISE exe.exe download ||
url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D
%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400
28950 || BLACKLIST DNS reverse lookup response to malicious domain
.dataclub.biz - Win.Trojan.Bunitu.G
28951 || BLACKLIST DNS reverse lookup response to malicious domain
hosted-by.leaseweb.com - Win.Trojan.Bunitu.G
28952 || BLACKLIST DNS request to suspicious domain ns0.pollosm.me.uk Win.Trojan.Bunitu.G
28953 || BLACKLIST DNS request to suspicious domain ns1.pollosm.me.uk Win.Trojan.Bunitu.G
28959 || BLACKLIST DNS request for known malware domain fenhelua.com ||
url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-andspyware/Troj~Agent-AFDE/detailed-analysis.aspx
28960 || MALWARE-CNC Win.Trojan.Alurewo outbound connection ||
url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-andspyware/Troj~Agent-AFDE/detailed-analysis.aspx ||
url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf
3388577f22da9178871161/analysis/
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29773 || BLACKLIST DNS request for known malware domain nav1002.ath.cx Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29774 || BLACKLIST DNS request for known malware domain
nthost.shacknet.nu - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29775 || BLACKLIST DNS request for known malware domain oco-231ms.xns01.com - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29776 || BLACKLIST DNS request for known malware domain
pininfarina.dynalias.com - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29777 || BLACKLIST DNS request for known malware domain pl400.dyndns.org
- Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29778 || BLACKLIST DNS request for known malware domain
prosoccer1.dyndns.info - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29779 || BLACKLIST DNS request for known malware domain redirserver.net Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29780 || BLACKLIST DNS request for known malware domain ricush.ath.cx Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29781 || BLACKLIST DNS request for known malware domain
services.serveftp.org - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29782 || BLACKLIST DNS request for known malware domain sv.serveftp.org Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29783 || BLACKLIST DNS request for known malware domain swupdt.com Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29784 || BLACKLIST DNS request for known malware domain
takami.podzone.net - Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29785 || BLACKLIST DNS request for known malware domain tunga.homedns.org
- Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29786 || BLACKLIST DNS request for known malware domain wqq.dyndns.org Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29787 || BLACKLIST DNS request for known malware domain wwnav.selfip.net
- Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29788 || MALWARE-CNC Win.Trojan.Careto outbound connection ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29789 || MALWARE-CNC Win.Trojan.Careto plugin download ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29790 || MALWARE-CNC Win.Trojan.Careto plugin download ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29791 || MALWARE-CNC Win.Trojan.Careto plugin download ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29816 || MALWARE-CNC Win.Trojan.Jackpos outbound connection ||
url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis
29817 || MALWARE-CNC Win.Trojan.Jackpos outbound connection ||
url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis
29824 || BLACKLIST User-Agent known malicious user agent - TixDll Win.Trojan.Adload.dyhq ||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
29825 || BLACKLIST DNS request for known malware domain
commandcenteral.info - Win.Trojan.Adload.dyhq ||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
29826 || BLACKLIST DNS request for known malware domain
givemefilesnow.info - Win.Trojan.Adload.dyhq ||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
29827 || BLACKLIST DNS request for known malware domain stylefun.info Win.Trojan.Adload.dyhq ||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
29828 || MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection
||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
29829 || SERVER-WEBAPP HNAP remote code execution attempt ||
url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary
%3A+What+we+know+so+far/17633
29830 || SERVER-WEBAPP HNAP remote code execution attempt ||
url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
29831 || SERVER-WEBAPP HNAP remote code execution attempt ||
url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
29832 || BLACKLIST DNS request for known malware domain hattouma12.noip.biz - Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/960aee6e11a44bf18a5f224019bd40e35112a2f312
c220c9aaf0b30c9a5ba084/analysis/
29833 || BLACKLIST DNS request for known malware domain
sidisalim.myvnc.com - Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/b560a6719a23095cbaeabcff55e8a9dd8fde1fdf4c
428b6261731072eb5256d2/analysis/
29837 || BLACKLIST DNS request for known malware domain abdnjworm.noip.biz - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29838 || BLACKLIST DNS request for known malware domain
abocasse.zapto.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29839 || BLACKLIST DNS request for known malware domain ahmedghost.noip.info - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29840 || BLACKLIST DNS request for known malware domain b-trese.no-ip.biz
- Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29841 || BLACKLIST DNS request for known malware domain boucraa.noip.org- Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29842 || BLACKLIST DNS request for known malware domain dd.no-ip.bz Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29843 || BLACKLIST DNS request for known malware domain debili1.no-ip.biz
- Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29844 || BLACKLIST DNS request for known malware domain fuck-all.noip.info - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29845 || BLACKLIST DNS request for known malware domain hackers1990.noip.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29846 || BLACKLIST DNS request for known malware domain heartbraker.noip.biz - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29847 || BLACKLIST DNS request for known malware domain jnyn-99.no-ip.org
- Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29848 || BLACKLIST DNS request for known malware domain mda.no-ip.org Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29849 || BLACKLIST DNS request for known malware domain mmrick.zapto.org
- Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29850 || BLACKLIST DNS request for known malware domain mntm.no-ip.biz Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29851 || BLACKLIST DNS request for known malware domain mootje01.noip.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29852 || BLACKLIST DNS request for known malware domain
mozaya46415.zapto.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29853 || BLACKLIST DNS request for known malware domain no99.zapto.org Win.Trojan.Dunihi ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29854 || BLACKLIST DNS request for known malware domain rouge166821.noip.biz - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29855 || BLACKLIST DNS request for known malware domain schoolpc.sytes.net - Win.Trojan.Dunihi ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29856 || BLACKLIST DNS request for known malware domain vanonymous.noip.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29857 || BLACKLIST DNS request for known malware domain vichtorioisraeli.zapto.org - Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29858 || BLACKLIST DNS request for known malware domain zkzak.np-ip.biz Win.Trojan.Jenxcus ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
29862 || MALWARE-CNC Win.Trojan.Pirminay variant outbout connection ||
url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/
29863 || MALWARE-CNC Win.Trojan.Pirminay variant outbound connection ||
url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/
29864 || EXPLOIT-KIT Redkit exploit kit payload request ||
url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-poppedfazio-mechanical/
29865 || MALWARE-CNC Win.Trojan.Kuluoz outbound connection ||
url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc29484
8eee20903daa556bb3af09/analysis/
29867 || BLACKLIST DNS request for known malware domain 0zz0.com Win.Trojan.Napolar ||
url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/
29868 || BLACKLIST DNS request for known malware domain www.rekurigo.com
- Win.Trojan.Napolar ||
url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/
29869 || MALWARE-CNC Win.Trojan.Napolar phishing attack ||
url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/
29870 || MALWARE-CNC Win.Trojan.Pony HTTP response connection ||
url,file-analyzer.net/analysis/1830/6840/0/html ||
url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/
29875 || BLACKLIST DNS request for known malware domain
jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker
29882 || MALWARE-CNC Win.Trojan.WEC variant outbound connection ||
url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d
36feccf83265ded1be8d0b/analysis/
29884 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection
29887 || BLACKLIST User-Agent known malicious user-agent string Updates
downloader - Win.Trojan.Upatre ||
url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C57
5EB151C8E4E00E68F97478/analysis/
29891 || MALWARE-CNC Win.Trojan.Pushdo variant outbound connection
29894 || BLACKLIST DNS request for known malware domain pibadfixwug.kz Win.Trojan.Pushdo ||
url,www.virustotal.com/en/file/9f3064634a48216f69d23c0887a71e879115a83886
17d016239cf825e84e798b/analysis
29895 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection ||
url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis
29897 || MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound
connection ||
url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e0054
1759eb18a31f959da521a9/analysis/ ||
url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8
b3f9c3c9b337b7f2a54f8a/analysis/
29981 || MALWARE-CNC Win.Trojan.Tiny variant outbound connection ||
url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41
c88083f4a3d3c04805a721/analysis/
30067 || BLACKLIST DNS request for known malware domain drags.su Win.Trojan.Androm ||
url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a
732fd394ff9f707ddaf682/analysis
30068 || MALWARE-CNC Win.Trojan.Androm variant outbound connection ||
url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a
732fd394ff9f707ddaf682/analysis
30069 || BLACKLIST DNS request for known malware domain smsgrabber.url.ph
- Android iBanking/Spy.49 || url,www.kernelmode.info/forum/viewtopic.php?
f=16&t=3166 ||
url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70c
e03165fd89e18113b68e02/analysis/
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
30259 || MALWARE-CNC Win.Trojan.Strictor variant outbound connection ||
url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64
a739db019fa9b947b821a1/analysis/1395684118/
30260 || MALWARE-CNC Win.Trojan.Mudrop variant outbound connection ||
url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/
30261 || MALWARE-CNC Win.Trojan.Mudrop variant outbound connection ||
url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/
30262 || MALWARE-CNC Win.Trojan.Symmi variant outbound connection ||
url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb
64b4eab403961c953fe44e/analysis/1395407305/
30288 || MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection ||
url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf
30336 || MALWARE-CNC Linux.Trojan.Calfbot outbound connection ||
url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf
30481 || BLACKLIST DNS request for known malware domain
titan2014.sytes.net - Win.Trojan.Zbot/Bublik ||
url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875 ||
url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/
30482 || MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection attempt ||
url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875 ||
url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/
30483 || MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection ||
url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875 ||
url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/
30484 || MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection ||
url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875 ||
url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/
30510 || SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt ||
cve,2014-0160
30511 || SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt ||
cve,2014-0160
30512 || SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt ||
cve,2014-0160
30513 || SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt ||
cve,2014-0160
30514 || SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30515 || SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79
638a57332ac448d819fb5d/analysis/
30566 || MALWARE-CNC Linux.Trojan.Elknot outbound connection ||
url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da0
08397b7a540e0d45e70ab2/analysis/
30567 || MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt ||
url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/
30568 || MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt ||
url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/
30569 || MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt
||
url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e838
4981832822329d8ccfb125/analysis/1395241815/
30570 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection ||
url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018ff
fd30bdb1f9fb6280182bd0/analysis/1396537812/ ||
url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f2057
11cdbad3e4b1bde7be2d75/analysis/
reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374
c3b97497105d7c20e7284f65055d2ccb/analysis/
30772 || BLACKLIST DNS request for known malware domain universal2010.noip.org - Win.Worm.Dunihi ||
url,www.virustotal.com/en/file/2dc9930a0d324838f847f940ea7fa1da8808f910a3
9c2e701020820f7e33974a/analysis/
30777 || SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30778 || SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30779 || SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30780 || SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30781 || SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30782 || SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30783 || SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30784 || SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30785 || SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30786 || SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30787 || SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30788 || SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30795 || MALWARE-CNC Win.Trojan.Mudrop variant outbound connection ||
url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/
url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf ||
url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf
31831 || POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt
||
url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf ||
url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf
31916 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection ||
url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658/
31917 || BLACKLIST DNS request for known malware domain
vampire123.zapto.org - Win.Trojan.Disfa ||
url,www.virustotal.com/en/file/1f4b95d7fc20a66acc09f8246f5a936a8263b76aeb
f973efa45cfe255415d5d1/analysis/
31918 || BLACKLIST DNS request for known malware domain enemydont.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31919 || BLACKLIST DNS request for known malware domain saltsecond.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31920 || BLACKLIST DNS request for known malware domain sellsmall.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31921 || BLACKLIST DNS request for known malware domain southblood.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31922 || BLACKLIST DNS request for known malware domain wheelreply.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31923 || MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31924 || MALWARE-CNC Win.Trojan.Symmi variant outbound connection ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31964 || MALWARE-CNC Win.Trojan.Banker variant outbound connection ||
url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699c
d858cda7d4a3e36690628a/analysis/
31965 || EXPLOIT-KIT Astrum exploit kit landing page ||
url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
31966 || EXPLOIT-KIT Astrum exploit kit payload delivery ||
url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
31967 || EXPLOIT-KIT Astrum exploit kit payload delivery ||
url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
31970 || EXPLOIT-KIT Astrum exploit kit redirection attempt ||
url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
32652 || BLACKLIST DNS request for known malware domain baltichost.org Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32653 || BLACKLIST DNS request for known malware domain kavkazcentr.info
- Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32654 || BLACKLIST DNS request for known malware domain login-osce.org Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32655 || BLACKLIST DNS request for known malware domain mail.q0v.pl Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32656 || BLACKLIST DNS request for known malware domain n0vinite.com Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32657 || BLACKLIST DNS request for known malware domain nato.nshq.in Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32658 || BLACKLIST DNS request for known malware domain
natoexhibitionff14.com - Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32659 || BLACKLIST DNS request for known malware domain novinitie.com Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32660 || BLACKLIST DNS request for known malware domain q0v.pl - Group 74
||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32661 || BLACKLIST DNS request for known malware domain qov.hu.com Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32662 || BLACKLIST DNS request for known malware domain rnil.am - Group
74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32663 || BLACKLIST DNS request for known malware domain smigrouponline.co.uk - Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32664 || BLACKLIST DNS request for known malware domain standartnevvs.com
- Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
32849 || APP-DETECT Absolute Software Computrace outbound connection search.us.namequery.com ||
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
32850 || APP-DETECT Absolute Software Computrace outbound connection search2.namequery.com ||
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
32851 || APP-DETECT Absolute Software Computrace outbound connection search64.namequery.com ||
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
32852 || MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection ||
url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/
32853 || MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection ||
url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/
32888 || INDICATOR-COMPROMISE Potential Redirect from Compromised
WordPress site to Fedex - Spammed Malware Download attempt ||
url,www.hybridanalysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f03317
43fbee77e56/
32889 || FILE-IMAGE Microsoft and libpng multiple products PNG large
image width overflow attempt || bugtraq,11523 || cve,2004-0990 ||
cve,2004-1244 || cve,2007-5503 || url,sourceforge.net/p/pngmng/mailman/message/33173462/ || url,technet.microsoft.com/enus/security/bulletin/MS05-009
32911 || MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt
|| url,us-cert.gov/ncas/alerts/TA14-353A
32912 || MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt
|| url,us-cert.gov/ncas/alerts/TA14-353A
32913 || MALWARE-BACKDOOR Win.Trojan.Wiper download attempt || url,uscert.gov/ncas/alerts/TA14-353A
32914 || MALWARE-BACKDOOR Win.Trojan.Wiper download attempt || url,uscert.gov/ncas/alerts/TA14-353A
32915 || MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt
|| url,us-cert.gov/ncas/alerts/TA14-353A
32916 || MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt
|| url,us-cert.gov/ncas/alerts/TA14-353A
587587ustar
587vrtbuild58758758758758758758758758758758758758758758758758758758758758
7587587587vrtbuild5875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587587587587587587587
5875875875875875875875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587587587587587587587
5875875875875875875875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587
SOURCEFIRE
VRT CERTIFIED RULES LICENSE AGREEMENT
(v. 2.0)
IMPORTANT: PLEASE READ THIS AGREEMENT CAREFULLY.
THIS VRT CERTIFIED RULES LICENSE AGREEMENT IS A LEGAL AGREEMENT BETWEEN
YOU AND
SOURCEFIRE, INC. OR ONE OF ITS DESIGNATED SUBSIDIARIES LICENSING THE
RULES TO
YOU HEREUNDER INSTEAD OF SOURCEFIRE, INC. (AS APPLICABLE,
SOURCEFIRE). THE
TERMS AND CONDITIONS UNDER WHICH YOU MAY USE THE RULES ARE SET FORTH IN
THIS VRT
CERTIFIED RULES LICENSE AGREEMENT (AGREEMENT).
BY DOWNLOADING, INSTALLING OR USING ANY OF THE RULES, YOU ARE BINDING
YOURSELF
IF YOU ARE ACTING IN YOUR PERSONAL CAPACITY OR THE BUSINESS ENTITY
THAT YOU
REPRESENT (AS APPLICABLE, YOU) TO THIS AGREEMENT AND AGREEING
THAT THIS
AGREEMENT WITH SOURCEFIRE IS ENFORCEABLE LIKE ANY WRITTEN CONTRACT
SIGNED BY
YOU.
IF YOU DO NOT AGREE TO ALL OF THE TERMS AND CONDITIONS CONTAINED
IN THIS
AGREEMENT, THEN SOURCEFIRE IS UNWILLING TO LICENSE THE RULES TO YOU,
IN WHICH
CASE YOU MAY NOT DOWNLOAD, INSTALL OR USE ANY OF THE RULES.
IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT,
DO NOT
DOWNLOAD, INSTALL OR USE THE RULES. BY SELECTING I ACCEPT,
OK,
CONTINUE, YES, NEXT OR BY INSTALLING OR USING THE RULES
IN ANY
WAY, YOU ARE INDICATING YOUR COMPLETE UNDERSTANDING AND ACCEPTANCE OF ALL
OF THE
TERMS AND CONDITIONS OF THIS AGREEMENT.
1. Definitions
who
has
2. License Grant
2.1. Subscriber Use. If You are a Subscriber, then subject to the
terms
and conditions of this Agreement, Sourcefire grants You a worldwide and
non-exclusive license to: (a) download, install and use the Rules only
on that
number of Appliances for which You have paid the applicable license
fee; (b)
Modify the Rules and install and use those Modified Rules
consistent with
Section 2.1 (a) above; (c) reproduce the Rules as strictly
necessary in
exercising Your rights under this Section 2.1; and (d) make the Rules
and any
Modification available to Your consultants, agents and subcontractors
for the
limited purpose of exercising Your rights under this Section 2.1
provided that
FAQs,
2.6. Commercial Use. You must enter into a separate commercial license
agreement
with Sourcefire in order to use the Rules for a Commercial Purpose.
You can
contact Sourcefire at www.snort.org if You desire to use the Rules
for a
Commercial Purpose under a commercial license agreement.
2.7. Reproduction Obligations.
or any
If You
make
any copies
of the
Rules
and
Warranties.
You
represent
and
warrant
*********
59759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
602602602602602602602602602602602602602602602602602