Community Rulesrtf

communityrules/
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111110000755100022721000227210000000000011251736640410145121
5
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111ustar
1vrtbuild111111111111111111111111vrtbuild11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111communityrules/community.rules
1111111111111111111111111111111111111111111111111111111111111111111110000
644100022721000227210000524347411251736640310176341
0
1111111111111111111111111111111111111111111111111111111111111111111111111
111111111111111111111111111ustar
1vrtbuild111111111111111111111111vrtbuild11111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111# Copyright 2001-2015 Sourcefire, Inc. All
Rights Reserved.
#
# This file contains rules that were created by Sourcefire, Inc. and
other third parties
# (the "GPL Rules") that are distributed under the GNU General Public
License (GPL),
# v2. The GPL Rules created by Sourcefire are owned by Sourcefire, Inc.,
and the GPL
# Rules not created by Sourcefire are owned by their respective owners.
Please see
# the AUTHORS file included in the community package for a list of third
party owners and their
# respective copyrights.
#
# This file does not contain any Sourcefire VRT Certified Rules; the VRT
Certified
# Rules are distributed by Sourcefire separately under the VRT Certified
Rules License
# Agreement (v 2.0)
#
#----------------# COMMUNITY RULES
#----------------# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00
00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:miscactivity; sid:105; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR
QAZ Worm Client Login access"; flow:to_server,established;
content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775;
classtype:misc-activity; sid:108; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWAREBACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|
0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110;
rev:10;)
# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
NetBus Pro 2.0 connection established"; flow:to_client,established;
flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|";
depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset
community; classtype:trojan-activity; sid:115; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Infector.1.x"; flow:established,to_client; content:"WHATISIT";
metadata:ruleset community; reference:nessus,11157; classtype:miscactivity; sid:117; rev:16;)
SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A|
"; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A|
Ready for commands"; distance:0; nocase; metadata:ruleset community;
reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260;
classtype:trojan-activity; sid:118; rev:12;)
Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use";
depth:32; metadata:ruleset community; classtype:misc-activity; sid:119;
rev:11;)
# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWAREBACKDOOR Infector 1.6 Client to Server Connection Request";
flow:to_server,established; content:"FC "; metadata:ruleset community;
reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;)
HackAttack 1.20 Connect"; flow:established,to_client; content:"host";
metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm
ftp login attempt"; flow:to_server,established; content:"USER"; nocase;
content:"w0rm"; distance:1; nocase; pcre:"/ÛSER\s+w0rm/smi";
metadata:ruleset community, service ftp; classtype:suspicious-login;
sid:144; rev:16;)
# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWAREBACKDOOR NetSphere access"; flow:established,to_client;
content:"NetSphere"; metadata:ruleset community; classtype:trojanactivity; sid:146; rev:13;)
GateCrasher"; flow:established,to_client; content:"GateCrasher";
depth:11; nocase; content:"Server"; distance:0; nocase; content:"OnLine..."; distance:0; nocase;
pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+OnLine\x2E\x2E\x2E/smi"; metadata:ruleset community;
reference:url,www.spywareguide.com/product_show.php?id=973;
# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWAREBACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client;
content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity;
sid:152; rev:11;)
BackConstruction 2.1 Client FTP Open Request";
flow:to_server,established; content:"FTPON"; metadata:ruleset community;

BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established;
content:"FTP Port open"; metadata:ruleset community; classtype:miscactivity; sid:158; rev:10;)
# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR
Matrix 2.0 Client connect"; flow:to_server; content:"activate";
# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR
Matrix 2.0 Server access"; flow:to_server; content:"logged in";
WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4
B4|"; metadata:ruleset community; classtype:misc-activity; sid:163;
rev:14;)
CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase;
# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth
Is Open"; metadata:ruleset community; reference:mcafee,98574;
reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;)
PhaseZero Server Active on Network"; flow:established,to_client;
content:"phAse zero server"; depth:17; nocase; metadata:ruleset
community;
reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html
; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539;
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00";
metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR attempt"; flow:to_server,established; content:"backdoor";
nocase; metadata:ruleset community; classtype:attempted-admin; sid:210;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t";
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt";
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC Linux rootkit attempt"; flow:to_server,established;
content:"wh00t!"; metadata:ruleset community; classtype:attempted-admin;
sid:213; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established;
content:"lrkr0x"; metadata:ruleset community; classtype:attempted-admin;
sid:214; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC Linux rootkit attempt"; flow:to_server,established;
content:"d13hh["; nocase; metadata:ruleset community;

classtype:attempted-admin; sid:215; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established;
content:"satori"; metadata:ruleset community; classtype:attempted-admin;
sid:216; rev:11;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC sm4ck attempt"; flow:to_server,established;
content:"hax0r"; metadata:ruleset community; classtype:attempted-admin;
sid:217; rev:7;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established;
content:"friday"; metadata:ruleset community; classtype:attempted-user;
sid:218; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR HidePak backdoor attempt"; flow:to_server,established;
content:"StoogR"; metadata:ruleset community; classtype:misc-activity;
sid:219; rev:10;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWAREBACKDOOR HideSource backdoor attempt"; flow:to_server,established;
content:"wank"; metadata:ruleset community; classtype:misc-activity;
sid:220; rev:10;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN
Probe"; icmp_id:678; itype:8; content:"1234"; fast_pattern:only;
metadata:ruleset community; reference:cve,2000-0138; classtype:attempteddos; sid:221; rev:12;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k
icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA";
fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138;
classtype:attempted-dos; sid:222; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWAREOTHER Trin00 Daemon to Master PONG message detected"; flow:to_server;
content:"PONG"; fast_pattern:only; metadata:ruleset community;
reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13;)
# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP
Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset
community; reference:cve,2000-0138; classtype:attempted-dos; sid:224;
rev:10;)
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP
Stacheldraht gag server response"; icmp_id:669; itype:0;
content:"sicken"; metadata:ruleset community; reference:cve,2000-0138;
Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken";
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP
Stacheldraht client spoofworks"; icmp_id:1000; itype:0;
content:"spoofworks"; metadata:ruleset community; reference:cve,20000138; classtype:attempted-dos; sid:227; rev:13;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN
client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]
{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138;

Stacheldraht client check skillz"; icmp_id:666; itype:0;
content:"skillz"; metadata:ruleset community; reference:cve,2000-0138;
# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER
shaft client login to handler"; flow:to_client,established;
content:"login|3A|"; fast_pattern:only; metadata:ruleset community;
reference:cve,2000-0138;
reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml;
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER
Trin00 Daemon to Master message detected"; flow:to_server; content:"l44";
Trin00 Daemon to Master *HELLO* message detected"; flow:to_server;
content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138;
reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER
Trin00 Attacker to Master default startup password";
flow:established,to_server; content:"betaalmostdone"; metadata:ruleset
rev:10;)
Trin00 Attacker to Master default password"; flow:established,to_server;
content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138;
Trin00 Attacker to Master default mdie password";
flow:established,to_server; content:"killme"; metadata:ruleset community;
Stacheldraht client check gag"; icmp_id:668; itype:0;
content:"gesundheit!"; metadata:ruleset community; reference:cve,20000138; classtype:attempted-dos; sid:236; rev:13;)
Trin00 Master to Daemon default password attempt"; flow:to_server;
content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138;
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN
server response"; icmp_id:123; itype:0; content:"shell bound";
shaft handler to agent"; flow:to_server; content:"alive tijgu";
shaft agent to handler"; flow:to_server; content:"alive";
mstream agent to handler"; flow:to_server; content:"newserver";

mstream handler to agent"; flow:to_server; content:"stream/";
mstream handler ping to agent"; flow:to_server; content:"ping";
mstream agent pong to handler"; flow:to_server; content:"pong";
mstream client to handler"; flow:to_server,established; content:">";
mstream handler to client"; flow:to_client,established; content:">";
mstream handler to client"; flow:to_client,established; content:">";
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN
client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]
{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138;
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF
query response PTR with TTL of 1 min. and no authority"; flow:to_client;
content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00
00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service
dns; classtype:bad-unknown; sid:253; rev:14;)
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF
query response with TTL of 1 min. and no authority"; flow:to_client;
content:"|81 80|"; depth:4; offset:2; fast_pattern;
byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big;
content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00
01|"; distance:0; byte_test:4,<,61,0,relative,big;
byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns;
classtype:bad-unknown; sid:254; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone
transfer via TCP detected"; flow:to_server,established; content:"|00 01
00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00
00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset
community, service dns; reference:cve,1999-0532; reference:nessus,10595;
classtype:attempted-recon; sid:255; rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named
authors attempt"; flow:to_server; content:"|07|authors"; offset:12;
nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset
community, service dns; reference:nessus,10728; classtype:attemptedrecon; sid:256; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named

version attempt"; flow:to_server,established; content:"|07|version";
offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase;
metadata:ruleset community, service dns; reference:nessus,10028;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind
Buffer Overflow via NXT records"; flow:to_server,established;
content:"../../../"; fast_pattern:only; metadata:ruleset community,
service dns; reference:bugtraq,788; reference:cve,1999-0833;
Buffer Overflow via NXT records named overflow ADM";
flow:to_server,established;
content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebuta
nywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only;
metadata:ruleset community, service dns; reference:bugtraq,788;
reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;)
Buffer Overflow via NXT records named overflow ADMROCKS";
flow:to_server,established; content:"ADMROCKS"; metadata:ruleset
community, service dns; reference:bugtraq,788; reference:cve,1999-0833;
reference:url,www.cert.org/advisories/CA-1999-14.html;
named overflow attempt"; flow:to_server,established; content:"|CD 80 E8
D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community,
service dns; reference:url,www.cert.org/advisories/CA-1998-05.html;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX OS-LINUX x86
Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|
DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:ruleset
community, service dns; classtype:attempted-admin; sid:262; rev:14;)
Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02
CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community, service dns;
Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89
F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset
community, service dns; classtype:attempted-admin; sid:265; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER OS-OTHER x86
FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6
06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT
sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0
0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only;
metadata:ruleset community, service dns; classtype:attempted-admin;
sid:267; rev:13;)
# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb";
flow:to_server; metadata:ruleset community; reference:cve,1999-0103;
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset
community; reference:bugtraq,514; reference:cve,1999-0918;

reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034;
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath";
itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER
RealNetworks Audio Server denial of service attempt";
flow:to_server,established; content:"|FF F4 FF FD 06|";
reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;)
RealNetworks Server template.html"; flow:to_server,established;
content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset
RealNetworks Server template.html"; flow:to_server,established;
content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER
Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend
Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25;
metadata:ruleset community; reference:bugtraq,714; reference:cve,19990060; classtype:attempted-dos; sid:281; rev:12;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER
Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9
B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community;
reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187;
classtype:attempted-user; sid:283; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT
x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B
8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community,
service pop3; reference:bugtraq,133; reference:cve,1999-0006;
reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;)
x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4
FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community,
service pop3; classtype:attempted-admin; sid:287; rev:12;)
x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8
D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community,
service pop3; classtype:attempted-admin; sid:288; rev:13;)
x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B
8D|~|12 89 F9 89 F9|"; fast_pattern:only; metadata:ruleset community,
service pop3; reference:bugtraq,133; reference:bugtraq,156;
qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF
FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3;

reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux
samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB
89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle
Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|
^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community;
reference:bugtraq,2319; reference:cve,1999-1588; classtype:attemptedadmin; sid:300; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng
overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|
C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|";
metadata:ruleset community; reference:bugtraq,1712; reference:cve,20000917; classtype:attempted-admin; sid:301; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0
lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|
n"; metadata:ruleset community; reference:bugtraq,1712;
Buffer Overflow named tsig overflow attempt"; flow:to_server,established;
content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01|
|02|a";
reference:cve,2001-0010; reference:nessus,10605; classtype:attemptedadmin; sid:303; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO
calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|
98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353;
delegate proxy overflow"; flow:to_server,established; isdataat:1000;
content:"whois|3A|//"; nocase; metadata:ruleset community;
VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1";
nocase; metadata:ruleset community; reference:bugtraq,1610;
reference:cve,2000-0766; reference:nessus,10354;
reference:url,www.vqsoft.com/vq/server/docs/other/control.html;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER
CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|
E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community;
reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user;
sid:307; rev:12;)
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP
client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC
83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp;
sid:308; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL

sniffit overflow"; flow:to_server,established; dsize:>512; flags:A+;
content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase;
metadata:ruleset community, service smtp; reference:bugtraq,1158;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86
windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB|
[|FC|3|C9 B1 82 8B F3 80|+"; fast_pattern:only; metadata:ruleset
community, service smtp; reference:bugtraq,2312; reference:cve,1999-0404;
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER
Netscape 4.7 unsucessful overflow"; flow:to_server,established;
content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset
reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86
Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02
02 E8|"; fast_pattern:only; metadata:ruleset community;
reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind
Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|
80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only;
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux
mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0
06 89|F"; metadata:ruleset community; reference:bugtraq,121;
mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|
1E|"; metadata:ruleset community; reference:bugtraq,121;
mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|
89 06|"; metadata:ruleset community; reference:bugtraq,121;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER
cmd_rootsh backdoor attempt"; flow:to_server,established;
content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070;
reference:url,www.sans.org/y2k/TFN_toolkit.htm;
reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin;
sid:320; rev:15;)
account enumeration attempt"; flow:to_server,established; content:"a b c
d e f"; nocase; metadata:ruleset community; reference:nessus,10788;
search query"; flow:to_server,established; content:"search";
metadata:ruleset community; reference:cve,1999-0259; classtype:attemptedrecon; sid:322; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root
query"; flow:to_server,established; content:"root"; metadata:ruleset
community; classtype:attempted-recon; sid:323; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null

request"; flow:to_server,established; content:"|00|"; metadata:ruleset
community; reference:cve,1999-0612; classtype:attempted-recon; sid:324;
rev:12;)
remote command execution attempt"; flow:to_server,established; content:"|
3B|"; metadata:ruleset community; reference:bugtraq,974;
reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;)
remote command pipe execution attempt"; flow:to_server,established;
content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb
attempt"; flow:to_server,established; content:"@@"; metadata:ruleset
rev:14;)
redirection attempt"; flow:to_server,established; content:"@";
metadata:ruleset community; reference:cve,1999-0105;
reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;)
cybercop query"; flow:to_server,established; content:"|0A|
";
depth:10; metadata:ruleset community; reference:cve,1999-0612;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0
query"; flow:to_server,established; content:"0"; metadata:ruleset
community; reference:cve,1999-0197; reference:nessus,10069;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER .
query"; flow:to_server,established; content:"."; metadata:ruleset
community; reference:cve,1999-0198; reference:nessus,10072;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP
.forward"; flow:to_server,established; content:".forward";
metadata:ruleset community, service ftp; classtype:suspicious-filenamedetect; sid:334; rev:12;)
.rhosts"; flow:to_server,established; content:".rhosts"; metadata:ruleset
community, service ftp; classtype:suspicious-filename-detect; sid:335;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD
~root attempt"; flow:to_server,established; content:"CWD"; nocase;
content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi";
metadata:ruleset community, service ftp; reference:cve,1999-0082;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL
overflow attempt"; flow:to_server,established; content:"CEL"; nocase;
isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi";
metadata:ruleset community, service ftp; reference:bugtraq,679;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm
scan"; flow:to_server,established; content:"PASS ddd@|0A|";
fast_pattern:only; metadata:ruleset community, service ftp;

classtype:suspicious-login; sid:353; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss
scan"; flow:to_server,established; content:"pass -iss@iss";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass
wh00t"; flow:to_server,established; content:"pass wh00t";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd
retrieval attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"passwd"; metadata:ruleset community, service ftp;
classtype:suspicious-filename-detect; sid:356; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss
scan"; flow:to_server,established; content:"pass -cklaus";
reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint
scan"; flow:to_server,established; content:"pass -saint";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan
scan"; flow:to_server,established; content:"pass -satan";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u
directory traversal"; flow:to_server,established; content:".%20.";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE
EXEC attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi";
reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown;
sid:361; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar
parameters"; flow:to_server,established; content:" --use-compress-program
"; fast_pattern:only; metadata:ruleset community, service ftp;
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP
router advertisement"; itype:9; metadata:ruleset community;
reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity;
sid:363; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP
router selection"; itype:10; metadata:ruleset community;
reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity;
sid:364; rev:11;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING
undefined code"; icode:>0; itype:8; metadata:ruleset community;

*NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E
1F|"; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:366; rev:10;)
BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16
17|"; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:368; rev:10;)
BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D
0E 0F|"; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:369; rev:10;)
BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A
0B|"; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:370; rev:11;)
Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB
CD AB CD|"; depth:32; metadata:ruleset community; classtype:miscactivity; sid:371; rev:11;)
Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32;
Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02
03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset
community; classtype:misc-activity; sid:373; rev:10;)
IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So";
rev:11;)
LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community;
Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop";
rev:11;)
Network Toolbox 3 Windows"; itype:8; content:"================";
rev:11;)
Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32;
Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00
00|"; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:379; rev:11;)
Seer Windows"; itype:8; content:"|88 04|
"; depth:32;

Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community;
Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset
PING"; icode:0; itype:8; metadata:ruleset community; classtype:miscactivity; sid:384; rev:8;)
traceroute"; itype:8; ttl:1; metadata:ruleset community;
Address Mask Reply"; icode:0; itype:18; metadata:ruleset community;
Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset
Address Mask Request"; icode:0; itype:17; metadata:ruleset community;
Address Mask Request undefined code"; icode:>0; itype:17;
Alternate Host Address"; icode:0; itype:6; metadata:ruleset community;
Alternate Host Address undefined code"; icode:>0; itype:6;
Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset
Datagram Conversion Error undefined code"; icode:>0; itype:31;
Destination Unreachable Destination Host Unknown"; icode:7; itype:3;
Destination Unreachable Destination Network Unknown"; icode:6; itype:3;
Destination Unreachable Fragmentation Needed and DF bit was set";
icode:4; itype:3; metadata:ruleset community; reference:cve,2004-0790;
reference:cve,2005-0068; classtype:misc-activity; sid:396; rev:10;)
Destination Unreachable Host Precedence Violation"; icode:14; itype:3;
Destination Unreachable Host Unreachable for Type of Service"; icode:12;
itype:3; metadata:ruleset community; classtype:misc-activity; sid:398;
rev:9;)

Destination Unreachable Host Unreachable"; icode:1; itype:3;
Destination Unreachable Network Unreachable for Type of Service";
icode:11; itype:3; metadata:ruleset community; classtype:misc-activity;
sid:400; rev:10;)
Destination Unreachable Network Unreachable"; icode:0; itype:3;
Destination Unreachable Port Unreachable"; icode:3; itype:3;
metadata:ruleset community; reference:cve,2004-0790; reference:cve,20050068; classtype:misc-activity; sid:402; rev:14;)
Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3;
Destination Unreachable Protocol Unreachable"; icode:2; itype:3;
metadata:ruleset community; reference:cve,2004-0790; reference:cve,20050068; classtype:misc-activity; sid:404; rev:13;)
Destination Unreachable Source Host Isolated"; icode:8; itype:3;
Destination Unreachable Source Route Failed"; icode:5; itype:3;
Destination Unreachable cndefined code"; icode:>15; itype:3;
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo
Reply"; icode:0; itype:0; metadata:ruleset community; classtype:miscactivity; sid:408; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo
Reply undefined code"; icode:>0; itype:0; metadata:ruleset community;
Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6
I-Am-Here"; icode:0; itype:34; metadata:ruleset community;
I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset
Where-Are-You"; icode:0; itype:33; metadata:ruleset community;
Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset
Information Reply"; icode:0; itype:16; metadata:ruleset community;

Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset
Information Request"; icode:0; itype:15; metadata:ruleset community;
Information Request undefined code"; icode:>0; itype:15; metadata:ruleset
Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community;
Mobile Host Redirect undefined code"; icode:>0; itype:32;
Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset
Mobile Registration Reply undefined code"; icode:>0; itype:36;
Mobile Registration Request"; icode:0; itype:35; metadata:ruleset
Mobile Registration Request undefined code"; icode:>0; itype:35;
Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset
Parameter Problem Missing a Required Option"; icode:1; itype:12;
Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset
Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset
Photuris Reserved"; icode:0; itype:40; metadata:ruleset community;
Photuris Unknown Security Parameters Index"; icode:1; itype:40;
Photuris Valid Security Parameters, But Authentication Failed"; icode:2;
rev:9;)
Photuris Valid Security Parameters, But Decryption Failed"; icode:3;
rev:9;)

Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset
Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community;
Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset
community; reference:cve,1999-0265; classtype:misc-activity; sid:437;
rev:10;)
Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community;
Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset
Reserved for Security Type 19 undefined code"; icode:>0; itype:19;
Router Advertisement"; icode:0; itype:9; metadata:ruleset community;
Router Selection"; icode:0; itype:10; metadata:ruleset community;
SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:miscactivity; sid:445; rev:8;)
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP
undefined code"; icode:>0; itype:39; metadata:ruleset community;
Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TimeTo-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TimeTo-Live Exceeded in Transit undefined code"; icode:>1; itype:11;
Timestamp Reply"; icode:0; itype:14; metadata:ruleset community;
Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset
Timestamp Request"; icode:0; itype:13; metadata:ruleset community;
Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset

Traceroute"; icode:0; itype:30; metadata:ruleset community;
Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset
unassigned type 1"; icode:0; itype:1; metadata:ruleset community;
unassigned type 1 undefined code"; itype:1; metadata:ruleset community;
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS
Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset
L3retriever Ping"; icode:0; itype:8;
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset
Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
fast_pattern:only; metadata:ruleset community; classtype:attempted-recon;
sid:467; rev:9;)
superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|";
sid:474; rev:9;)
webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|
EEEEEEEEEEEE"; fast_pattern:only; metadata:ruleset community;
speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset
TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim";
rev:10;)
WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32;

CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA|"; depth:32; metadata:ruleset community;
Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network,
Inc."; depth:32; metadata:ruleset community; classtype:misc-activity;
sid:484; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no
password"; flow:to_server,established; content:"PASS"; fast_pattern:only;
pcre:"/^PASS\s*\n/smi"; metadata:ruleset community, service ftp;
classtype:unknown; sid:489; rev:18;)
battle-mail traffic"; flow:to_server,established; content:"BattleMail";
metadata:ruleset community, service smtp; classtype:policy-violation;
sid:490; rev:12;)
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad
login"; flow:to_client,established; content:"530 "; fast_pattern:only;
pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp;
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET
login failed"; flow:to_client,established; content:"Login failed";
nocase; metadata:ruleset community, service telnet; classtype:badunknown; sid:492; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC
access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de";
fast_pattern:only; metadata:ruleset community; classtype:bad-unknown;
sid:493; rev:11;)
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"INDICATOR-COMPROMISE command completed"; flow:established;
content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?
completed\b/sm"; metadata:ruleset community, service http;
reference:bugtraq,1806; reference:cve,2000-0884;
reference:url,osvdb.org/show/osvdb/436;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078;
(msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad
command or filename"; nocase; metadata:ruleset community, service http;
(msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established;
file_data; content:"1 file|28|s|29| copied"; fast_pattern:only;
metadata:ruleset community, service http; reference:bugtraq,1806;
reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20;)
# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check
returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community;
Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|
>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER
PCAnywhere Attempted Administrator Login"; flow:to_server,established;
content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attemptedadmin; sid:507; rev:7;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher
proxy"; flow:to_server,established; content:"ftp|3A|"; fast_pattern:only;
content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PCCS mysql database admin tool access";
flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc";
depth:36; nocase; metadata:ruleset community, service http;
classtype:web-application-attack; sid:509; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER
HP JetDirect LCD modification attempt"; flow:to_server,established;
content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community;
reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;)
# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER
PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid
login"; depth:16; metadata:ruleset community; classtype:unsuccessfuluser; sid:512; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen
worm"; flow:to_server,established; content:"GET "; depth:8; nocase;
metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT
UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|";
fast_pattern:only; metadata:ruleset community, service snmp;
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query";
flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put";
flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community;
reference:url,dev.metasploit.com/redmine/projects/framework/repository/re
visions/b73f28f29511d154aed9e94dd262195db60c7e3b/entry/unstablemodules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent
directory"; flow:to_server; content:".."; offset:2; metadata:ruleset
community; reference:cve,1999-0183; reference:cve,2002-1209;
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root
directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset
community; reference:cve,1999-0183; classtype:bad-unknown; sid:520;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:]
(msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle
attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-12785a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}
(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce;
content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset
community; classtype:protocol-command-decode; sid:529; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL
session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|
00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1";
metadata:ruleset community; reference:bugtraq,1163; reference:cve,20000347; classtype:attempted-recon; sid:530; rev:14;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..";
flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD...";
flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset
# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL
Microsoft MSN message"; flow:established; content:"MSG "; depth:4;
content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1;
metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ
access"; flow:to_server,established; content:"User-Agent|3A|ICQ";
fast_pattern:only; metadata:ruleset community; classtype:policyviolation; sid:541; rev:15;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL
IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK
"; fast_pattern:only; metadata:ruleset community; classtype:policyviolation; sid:542; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE
FTP 'STOR 1MB' possible warez site"; flow:to_server,established;
content:"STOR"; nocase; content:"1MB"; distance:1; nocase;
metadata:ruleset community, service ftp; classtype:misc-activity;
sid:543; rev:10;)
FTP 'RETR 1MB' possible warez site"; flow:to_server,established;
content:"RETR"; nocase; content:"1MB"; distance:1; nocase;
sid:544; rev:10;)
FTP 'CWD / ' possible warez site"; flow:to_server,established;
content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset
community, service ftp; classtype:misc-activity; sid:545; rev:9;)
FTP 'CWD ' possible warez site"; flow:to_server,established;
content:"CWD "; depth:5; nocase; metadata:ruleset community, service
ftp; classtype:misc-activity; sid:546; rev:10;)
FTP 'MKD ' possible warez site"; flow:to_server,established;
content:"MKD "; depth:5; nocase; metadata:ruleset community, service
FTP 'MKD .' possible warez site"; flow:to_server,established;
content:"MKD ."; depth:5; nocase; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP
anonymous login attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; pcre:"/ÛSER\s+(anonymous|ftp)[^\w]*[\r\n]/smi";
sid:553; rev:13;)
FTP 'MKD / ' possible warez site"; flow:to_server,established;
content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset

community, service ftp; classtype:misc-activity; sid:554; rev:10;)
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate
telnet server response"; flow:to_client,established; content:"WinGate>";
metadata:ruleset community; reference:cve,1999-0657; classtype:miscactivity; sid:555; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound
GNUTella client request"; flow:to_server,established; content:"GNUTELLA
CONNECT"; depth:40; metadata:ruleset community; classtype:policyviolation; sid:556; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella
client request"; flow:to_server,established; content:"GNUTELLA OK";
depth:40; metadata:ruleset community; classtype:policy-violation;
sid:557; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC
server response"; flow:established; content:"RFB 0"; depth:5;
content:".0"; depth:2; offset:7; metadata:ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT
PCAnywhere server response"; content:"ST"; depth:2; metadata:ruleset
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SMTP
relaying denied"; flow:established,to_client; content:"550 5.7.1";
depth:70; metadata:ruleset community, service smtp; reference:url,mailabuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP
JetDirect LCD modification attempt"; flow:to_server,established;
content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community;
reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC
snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00
01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4;
distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align;
byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4;
offset:8; metadata:ruleset community, service sunrpc;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC
DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00
00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00
00 00 01|"; depth:32; offset:16; metadata:ruleset community;
reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos;
sid:572; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd
TCP export request"; flow:to_server,established; content:"|00 01 86 A5|";
depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4;
content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 03|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00
01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;

sid:575; rev:16;)
amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:bugtraq,205;
reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614;
reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,19990493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576;
rev:16;)
bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:577; rev:22;)
cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:578; rev:16;)
mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:579; rev:16;)
nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community, service sunrpc; reference:cve,1999-0008;
classtype:rpc-portmap-decode; sid:580; rev:20;)
pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17;)
rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;

sid:582; rev:16;)
rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
sid:583; rev:17;)
rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|";
sid:585; rev:16;)
selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|";
01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
sid:587; rev:16;)
ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
content:"|00 00 00 03|"; within:4; distance:4;
reference:cve,1999-1075; reference:cve,2001-0717;
reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpcportmap-decode; sid:588; rev:26;)
yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
sid:589; rev:15;)

ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap
ypupdated request TCP"; flow:to_server,established; content:"|00 01 86
A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4;
01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86
espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|";
content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community,
service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC
portmap listing TCP 32771"; flow:to_server,established; content:"|00 01
86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4;
distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community; classtype:rpc-portmap-decode; sid:599; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES
rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A
3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset
community; classtype:bad-unknown; sid:601; rev:10;)
rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|";
fast_pattern:only; metadata:ruleset community; classtype:attempted-user;
sid:602; rev:10;)
rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|";
sid:603; rev:10;)

Unix rlogin froot parameter root access attempt";
flow:to_server,established; content:"-froot|00|"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,458; reference:cve,19990113; reference:url,osvdb.org/show/osvdb/1007; classtype:attempted-admin;
sid:604; rev:12;)
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES
rlogin login failure"; flow:to_client,established; content:"login
incorrect"; fast_pattern:only; metadata:ruleset community;
classtype:unsuccessful-user; sid:605; rev:12;)
rlogin root"; flow:to_server,established; content:"root|00|root|00|";
fast_pattern:only; metadata:ruleset community; classtype:attempted-admin;
sid:606; rev:10;)
rsh bin"; flow:to_server,established; content:"bin|00|bin|00|";
sid:607; rev:10;)
rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|";
sid:608; rev:10;)
rsh froot"; flow:to_server,established; content:"-froot|00|";
fast_pattern:only; metadata:ruleset community; classtype:attempted-admin;
sid:609; rev:10;)
rsh root"; flow:to_server,established; content:"|00|root|00|";
fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i";
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES
rlogin login failure"; flow:to_client,established; content:"|01|rlogind|
3A| Permission denied."; fast_pattern:only; metadata:ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers
query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00
00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
offset:4; metadata:ruleset community; reference:cve,1999-0626;
# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN
myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset
# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR
hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident
version request"; flow:to_server,established; content:"VERSION|0A|";
depth:16; metadata:ruleset community; classtype:attempted-recon; sid:616;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN
cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye

SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN
cybercop os PA12 attempt"; flow:stateless; flags:PA12;
content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community;
cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12;
content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community;
synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo
cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|
quit|0A|"; fast_pattern:only; metadata:ruleset community, service smtp;
classtype:protocol-command-decode; sid:631; rev:16;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn
cybercop attempt"; flow:to_server,established; content:"expn cybercop";
fast_pattern:only; metadata:ruleset community, service smtp;
# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATORSCAN Amanda client-version request"; flow:to_server; content:"Amanda";
sid:634; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN
XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00
00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:badunknown; sid:635; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN
cybercop udp bomb"; flow:to_server; content:"cybercop";
sid:636; rev:7;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN
Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|
0A|"; fast_pattern:only; metadata:ruleset community;
reference:url,www.netiq.com/products/vsm/default.asp;
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE
SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%";
fast_pattern:only; metadata:ruleset community; classtype:shellcodedetect; sid:638; rev:11;)
SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4";
AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|";
Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04
1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcodedetect; sid:641; rev:12;)

HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|";
HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|";
sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|";
sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|";
sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|";
Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|";
fast_pattern:only; metadata:ruleset community; classtype:system-calldetect; sid:647; rev:14;)
x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only;
metadata:ruleset community; classtype:system-call-detect; sid:649;
rev:14;)
x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only;
metadata:ruleset community; classtype:system-call-detect; sid:650;
rev:14;)
Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh";
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT
TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase;
isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im";
reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260;
reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,20090410; reference:cve,2010-2580; classtype:attempted-admin; sid:654;
rev:27;)
# alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL
Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/";

Netmanager chameleon SMTPd buffer overflow attempt";
flow:to_server,established; content:"HELP"; nocase;
isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:ruleset
Microsoft Windows Exchange Server 5.5 mime DOS";
flow:to_server,established; content:"charset = |22 22|"; nocase;
Sendmail expn decode"; flow:to_server,established; content:"expn";
nocase; content:"decode"; fast_pattern:only; pcre:"/êxpn\s+decode/smi";
metadata:ruleset community, service smtp; reference:cve,1999-0096;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn
root"; flow:to_server,established; content:"expn"; nocase;
content:"root"; fast_pattern:only; pcre:"/êxpn\s+root/smi";
metadata:ruleset community, service smtp; reference:nessus,10249;
Majordomo ifs"; flow:to_server,established; content:"eply-to|3A|
a~.`/bin/"; fast_pattern:only; metadata:ruleset community, service smtp;
Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|
3A| |22 7C|"; fast_pattern:only; metadata:ruleset community, service
smtp; reference:cve,1999-0203; reference:nessus,10258;
Sendmail rcpt to command attempt"; flow:to_server,established;
content:"rcpt to|3A|"; fast_pattern:only;
pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset community,
service smtp; reference:bugtraq,1; reference:cve,1999-0095;
Sendmail RCPT TO decode attempt"; flow:to_server,established;
content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase;
pcre:"/^rcpt to\:\s*decode/smi"; metadata:ruleset community, service
smtp; reference:bugtraq,2308; reference:cve,1999-0203;
Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|
3A| |7C|/usr/ucb/tail"; fast_pattern:only; metadata:ruleset community,
Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D
0A|Mprog, P=/bin/"; fast_pattern:only; metadata:ruleset community,

Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09
09 09 09 09 09 09|Mprog,P=/bin"; fast_pattern:only; metadata:ruleset
Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|
0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp;
reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempteduser; sid:669; rev:17;)
Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|
daemon|0A|R"; fast_pattern:only; metadata:ruleset community, service
Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|
0D 0A|Mprog"; fast_pattern:only; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy
decode"; flow:to_server,established; content:"vrfy"; nocase;
content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_start_job
- program execution"; flow:to_server,established; content:"s|00|p|00|_|
00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only;
metadata:ruleset community; classtype:attempted-user; sid:673; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job
- program execution"; flow:to_server,established; content:"s|00|p|00|_|
00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32;
nocase; metadata:ruleset community; classtype:attempted-user; sid:676;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_password
password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|
00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL
sp_delete_alert log file deletion"; flow:to_server,established;
content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|
00|"; fast_pattern:only; metadata:ruleset community; classtype:attempteduser; sid:678; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_adduser
database user creation"; flow:to_server,established; content:"s|00|p|00|
_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_cmdshell
program execution"; flow:to_server,established; content:"x|00|p|00|_|00|
c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase;
metadata:ruleset community; reference:bugtraq,5309; classtype:attempteduser; sid:681; rev:10;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password

- password change"; flow:to_server,established; content:"s|00|p|00|_|00|
p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL
sp_delete_alert log file deletion"; flow:to_server,established;
content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|
00|r|00|t|00|"; fast_pattern:only; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|
_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL
xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|
00|_|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:ruleset community;
- program execution"; flow:to_server,established; content:"x|00|p|00|_|
00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only;
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login
failed"; flow:to_client,established; content:"Login failed for user
'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy
connectivity-ips drop, policy security-ips drop, ruleset community;
xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|
_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; metadata:ruleset
reference:nessus,10642; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-034; classtype:attempted-user; sid:689;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATORSHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0
00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community;
classtype:shellcode-detect; sid:691; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATORSHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0
00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATORSHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|
%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|";
metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATORSHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|
%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|";

xp_sprintf possible buffer overflow"; flow:to_server,established;
content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32;
xp_sprintf possible buffer overflow"; flow:to_server,established;
content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|";
fast_pattern:only; metadata:ruleset community; reference:bugtraq,1204;
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET
4Dgifts SGI account attempt"; flow:to_server,established;
content:"4Dgifts"; metadata:ruleset community, service telnet;
reference:cve,1999-0501; reference:nessus,11243; classtype:suspiciouslogin; sid:709; rev:17;)
EZsetup account attempt"; flow:to_server,established; content:"OutOfBox";
metadata:ruleset community, service telnet; reference:cve,1999-0501;
reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;)
SGI telnetd format bug"; flow:to_server,established; content:"_RLD";
fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service
telnet; reference:bugtraq,1572; reference:cve,2000-0733;
ld_library_path"; flow:to_server,established; content:"ld_library_path";
fast_pattern:only; metadata:ruleset community, service telnet;
livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3
FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community,
service telnet; reference:bugtraq,2225; reference:cve,1999-0218;
resolv_host_conf"; flow:to_server,established;
content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset
community, service telnet; reference:bugtraq,2181; reference:cve,20010170; classtype:attempted-admin; sid:714; rev:15;)
Attempted SU from wrong group"; flow:to_client,established; content:"to
su root"; fast_pattern:only; metadata:ruleset community, service telnet;
not on console"; flow:to_client,established; content:"not on system
console"; fast_pattern:only; metadata:ruleset community, service telnet;
login incorrect"; flow:to_client,established; content:"Login incorrect";
metadata:ruleset community, service telnet; classtype:bad-unknown;
sid:718; rev:16;)

root login"; flow:to_client,established; content:"login|3A| root";
fast_pattern:only; metadata:ruleset community, service telnet;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP HyperSeek hsx.cgi directory traversal attempt";
flow:to_server,established; content:"/hsx.cgi"; http_uri;
content:"../../"; http_raw_uri; content:"%00"; distance:1; http_raw_uri;
reference:cve,2001-0253; reference:nessus,10602; classtype:webapplication-attack; sid:803; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established;
content:"/s.cgi"; fast_pattern; nocase; http_uri; content:"tmpl=";
http_uri; metadata:ruleset community, service http;
reference:bugtraq,2492; reference:cve,2001-0476; classtype:webapplication-attack; sid:804; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Progress webspeed access"; flow:to_server,established;
content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri;
content:"WSMadmin"; nocase; http_uri; metadata:ruleset community, service
http; reference:bugtraq,969; reference:cve,2000-0127;
reference:nessus,10304; classtype:attempted-user; sid:805; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP yabb directory traversal attempt"; flow:to_server,established;
content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../";
http_raw_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /wwwboard/passwd.txt access"; flow:to_server,established;
content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri;
reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webdriver access"; flow:to_server,established;
content:"/webdriver"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2166; reference:nessus,10592;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP whois_raw.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/whois_raw.cgi?"; http_uri;
content:"|0A|"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP whois_raw.cgi access"; flow:to_server,established;
content:"/whois_raw.cgi"; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP websitepro path access"; flow:to_server,established; content:"
/HTTP/1."; fast_pattern:only; metadata:ruleset community, service http;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webplus version access"; flow:to_server,established;
content:"/webplus?about"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1102; reference:cve,2000-0282;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webplus directory traversal"; flow:to_server,established;
content:"/webplus?script"; fast_pattern; nocase; http_uri; content:"../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP websendmail access"; flow:to_server,established;
content:"/websendmail"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dcboard.cgi invalid user addition attempt";
flow:to_server,established; content:"/dcboard.cgi"; http_uri;
content:"command=register"; content:"%7cadmin"; metadata:ruleset
reference:nessus,10583; classtype:web-application-attack; sid:817;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dcforum.cgi access"; flow:to_server,established;
content:"/dcforum.cgi"; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mmstdod.cgi access"; flow:to_server,established;
content:"/mmstdod.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP anaconda directory traversal attempt"; flow:to_server,established;
content:"/apexec.pl"; http_uri; content:"template=../";
fast_pattern:only; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP imagemap.exe overflow attempt"; flow:to_server,established;
content:"/imagemap.exe?"; fast_pattern:only; http_uri; metadata:ruleset
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvsweb.cgi access"; flow:to_server,established;
content:"/cvsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP php.cgi access"; flow:to_server,established; content:"/php.cgi";
fast_pattern:only; http_uri; metadata:ruleset community, service http;
reference:cve,1999-0238; reference:nessus,10178; classtype:attemptedrecon; sid:824; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP glimpse access"; flow:to_server,established; content:"/glimpse";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htmlscript access"; flow:to_server,established;
content:"/htmlscript"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP info2www access"; flow:to_server,established; content:"/info2www";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP maillist.pl access"; flow:to_server,established;
content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; classtype:attempted-recon; sid:828; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nphtest-cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:bugtraq,686; reference:cve,1999-0045;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rguest.exe access"; flow:to_server,established;
content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rwwwshell.pl access"; flow:to_server,established;
content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:url,www.itsecurity.com/papers/p37.htm;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP textcounter.pl access"; flow:to_server,established;
content:"/textcounter.pl"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP uploader.exe access"; flow:to_server,established;
content:"/uploader.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webgais access"; flow:to_server,established; content:"/webgais";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP finger access"; flow:to_server,established; content:"/finger";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perlshop.cgi access"; flow:to_server,established;
content:"/perlshop.cgi"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1374; classtype:attemptedrecon; sid:840; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP aglimpse access"; flow:to_server,established; content:"/aglimpse";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP anform2 access"; flow:to_server,established; content:"/AnForm2";
reference:bugtraq,719; reference:cve,1999-0066; classtype:attemptedrecon; sid:843; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP args.bat access"; flow:to_server,established; content:"/args.bat";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AT-admin.cgi access"; flow:to_server,established; content:"/ATadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:cve,1999-1072; classtype:attempted-recon;
sid:845; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bnbform.cgi access"; flow:to_server,established;
content:"/bnbform.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP campas access"; flow:to_server,established; content:"/campas";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP view-source directory traversal"; flow:to_server,established;
content:"/view-source"; fast_pattern; nocase; http_uri; content:"../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP view-source access"; flow:to_server,established; content:"/viewsource"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,19990174; classtype:attempted-recon; sid:849; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wais.pl access"; flow:to_server,established; content:"/wais.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP files.pl access"; flow:to_server,established; content:"/files.pl";
reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wguest.exe access"; flow:to_server,established;
content:"/wguest.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wrap access"; flow:to_server,established; content:"/wrap";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP classifieds.cgi access"; flow:to_server,established;
content:"/classifieds.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP environ.cgi access"; flow:to_server,established;
content:"/environ.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP faxsurvey access"; flow:to_server,established;
content:"/faxsurvey"; fast_pattern:only; http_uri; metadata:ruleset
reference:nessus,10067; classtype:web-application-activity; sid:857;
rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP filemail access"; flow:to_server,established;
content:"/filemail.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP man.sh access"; flow:to_server,established; content:"/man.sh";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP snork.bat access"; flow:to_server,established;
content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csh access"; flow:to_server,established; content:"/csh";
reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:attempted-recon; sid:862; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP day5datacopier.cgi access"; flow:to_server,established;
content:"/day5datacopier.cgi"; fast_pattern:only; http_uri;
metadata:ruleset community, service http; reference:cve,1999-1232;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP day5datanotifier.cgi access"; flow:to_server,established;
content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ksh access"; flow:to_server,established; content:"/ksh";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP post-query access"; flow:to_server,established; content:"/postquery"; fast_pattern:only; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP visadmin.exe access"; flow:to_server,established;
content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rsh access"; flow:to_server,established; content:"/rsh";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dumpenv.pl access"; flow:to_server,established;
content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1178; reference:nessus,10060;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP snorkerz.cmd access"; flow:to_server,established;
content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP survey.cgi access"; flow:to_server,established;
content:"/survey.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tcsh access"; flow:to_server,established; content:"/tcsh";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP win-c-sample.exe access"; flow:to_server,established;
content:"/win-c-sample.exe"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rksh access"; flow:to_server,established; content:"/rksh";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP w3tvars.pm access"; flow:to_server,established;
content:"/w3tvars.pm"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admin.pl access"; flow:to_server,established; content:"/admin.pl";
reference:url,online.securityfocus.com/archive/1/249355;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP LWGate access"; flow:to_server,established; content:"/LWGate";
reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html;
reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP archie access"; flow:to_server,established; content:"/archie";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar access"; flow:to_server,established; content:"/calendar";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP flexform access"; flow:to_server,established; content:"/flexform";
reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bash access"; flow:to_server,established; content:"/bash";

reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-199611.html; classtype:web-application-activity; sid:885; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phf access"; flow:to_server,established; content:"/phf";
reference:bugtraq,629; reference:cve,1999-0067; classtype:webapplication-activity; sid:886; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP www-sql access"; flow:to_server,established; content:"/www-sql";
reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wwwadmin.pl access"; flow:to_server,established;
content:"/wwwadmin.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ppdscgi.exe access"; flow:to_server,established;
content:"/ppdscgi.exe"; fast_pattern:only; http_uri; metadata:ruleset
reference:url,online.securityfocus.com/archive/1/16878;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sendform.cgi access"; flow:to_server,established;
content:"/sendform.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon;
sid:890; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP upload.pl access"; flow:to_server,established;
content:"/upload.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AnyForm2 access"; flow:to_server,established; content:"/AnyForm2";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hist.sh access"; flow:to_server,established; content:"/bbhist.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP redirect access"; flow:to_server,established; content:"/redirect";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP way-board access"; flow:to_server,established; content:"/wayboard"; fast_pattern:only; http_uri; metadata:ruleset community, service
rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pals-cgi access"; flow:to_server,established; content:"/pals-cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP commerce.cgi access"; flow:to_server,established;
content:"/commerce.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Amaya templates sendtemp.pl directory traversal attempt";
flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only;
http_uri; content:"templ="; nocase; http_uri; metadata:ruleset community,
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webspirs.cgi directory traversal attempt";
flow:to_server,established; content:"/webspirs.cgi"; fast_pattern;
nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webspirs.cgi access"; flow:to_server,established;
content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tstisapi.dll access"; flow:to_server,established;
content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established;
content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exampleapp application.cfm";
content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri;
reference:cve,2000-0189; reference:cve,2001-0535; classtype:attemptedrecon; sid:904; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion application.cfm access";
content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established;
content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion addcontent.cfm access";
content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern;
nocase; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion administrator access"; flow:to_server,established;
content:"/cfide/administrator/index.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion datasource username attempt";
flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion fileexists.cfm access";
flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exprcalc access"; flow:to_server,established;
content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion parks access"; flow:to_server,established;
content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfappman access"; flow:to_server,established;
content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion beaninfo access"; flow:to_server,established;
content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established;
content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established;
content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion db connections flush attempt";
flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion expeval access"; flow:to_server,established;
content:"/cfdocs/expeval/"; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion datasource passwordattempt";
flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion datasource attempt"; flow:to_server,established;
content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only;
reference:cve,1999-0760; classtype:web-application-attack; sid:920;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion admin encrypt attempt";
flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion displayfile access"; flow:to_server,established;
content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established;
content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion admin decrypt attempt";
flow:to_server,established; content:"CFUSION_DECRYPT|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion mainframeset access"; flow:to_server,established;
content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established;
content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion settings refresh attempt";
flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion exampleapp access"; flow:to_server,established;
content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion CFUSION_VERIFYMAIL access";
flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|";
sid:929; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion snippets attempt"; flow:to_server,established;
content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access";
flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion application.cfm access";
flow:to_server,established; content:"/application.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion onrequestend.cfm access";
flow:to_server,established; content:"/onrequestend.cfm"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established;
content:"/cfide/administrator/startstop.html"; nocase; http_uri;

rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion gettempdirectory.cfm access ";
content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established;
content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community,
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage posting"; flow:to_server,established;
content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri;
classtype:web-application-activity; sid:939; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established;
content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1174; reference:bugtraq,1594;
reference:nessus,11395; reference:url,technet.microsoft.com/enus/security/bulletin/ms00-060; classtype:web-application-activity;
sid:940; rev:28;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage contents.htm access";
flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage orders.htm access"; flow:to_server,established;
content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset
community, service http; classtype:web-application-activity; sid:942;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage fpsrvadm.exe access";
flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri;
metadata:ruleset community, service http; classtype:web-applicationactivity; sid:943; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage fpremadm.exe access";
flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage fpadmin.htm access";
flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase;
http_uri; metadata:ruleset community, service http; classtype:webapplication-activity; sid:945; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage fpadmcgi.exe access";
flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage orders.txt access"; flow:to_server,established;
content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage form_results access";
flow:to_server,established; content:"/_private/form_results.txt"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19991052; classtype:web-application-activity; sid:948; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage registrations.htm access";
flow:to_server,established; content:"/_private/registrations.htm";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established;
content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community,
service http; classtype:web-application-activity; sid:950; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage authors.pwd access";
flow:to_server,established; content:"/authors.pwd"; nocase; http_uri;
reference:cve,1999-0386; reference:nessus,10078; classtype:webapplication-activity; sid:951; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage author.exe access"; flow:to_server,established;
content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage administrators.pwd access";
flow:to_server,established; content:"/administrators.pwd"; nocase;
reference:bugtraq,1205; classtype:web-application-activity; sid:953;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage form_results.htm access";
flow:to_server,established; content:"/_private/form_results.htm"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19991052; classtype:web-application-activity; sid:954; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage access.cnf access"; flow:to_server,established;
content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage register.txt access";
flow:to_server,established; content:"/_private/register.txt"; nocase;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage registrations.txt access";
flow:to_server,established; content:"/_private/registrations.txt";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage service.cnf access";
flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage service.pwd"; flow:to_server,established;
content:"/service.pwd"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1205; classtype:web-application-activity;
sid:959; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage service.stp access";
flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage services.cnf access";
flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established;
content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset
reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established;
content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage users.pwd access"; flow:to_server,established;
content:"/users.pwd"; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage writeto.cnf access";
flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage .... request"; flow:to_server,established;
content:"..../"; http_uri; metadata:ruleset community, service http;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established;
content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,1108; reference:bugtraq,1109;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage register.htm access";
flow:to_server,established; content:"/_private/register.htm"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK
"; depth:5; metadata:ruleset community, service http;
reference:bugtraq,2736; reference:nessus,10732; classtype:webapplication-activity; sid:969; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .printer access"; flow:to_server,established;
content:".printer"; nocase; http_uri; metadata:ruleset community, service
reference:nessus,10661; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-023; classtype:web-application-activity;
sid:971; rev:27;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Microsoft Windows IIS directory traversal attempt";
flow:to_server,established; content:"..|5C|.."; fast_pattern:only;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Alternate Data streams ASP file access attempt";
flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .bat? access"; flow:to_server,established; content:".bat?";
reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp;
reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cnf access"; flow:to_server,established; content:".cnf"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ASP contents view"; flow:to_server,established; content:"%20";
content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ASP contents view"; flow:to_server,established; content:".htw?
CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS CGImail.exe access"; flow:to_server,established;
content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS JET VBA access"; flow:to_server,established;
content:"/scripts/samples/ctguestb.idc"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS JET VBA access"; flow:to_server,established;
content:"/scripts/samples/details.idc"; nocase; http_uri;
reference:cve,1999-0874; classtype:web-application-activity; sid:985;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MSProxy access"; flow:to_server,established;
content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset
community, service http; reference:url,support.microsoft.com/?
kbid=331066; classtype:web-application-activity; sid:986; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILEIDENTIFY .htr access file download request"; flow:to_server,established;
content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|
$)/smiU"; metadata:ruleset community, service http;
reference:nessus,10680; reference:url,technet.microsoft.com/enus/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARECNC sensepost.exe command shell"; flow:to_server,established;
content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,11003; classtype:webapplication-activity; sid:989; rev:18;)

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage _vti_inf.html access";
flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri;
metadata:ruleset community, service http; reference:nessus,11455;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS achg.htr access"; flow:to_server,established;
content:"/iisadmpwd/achg.htr"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS adctest.asp access"; flow:to_server,established;
content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS iisadmin access"; flow:to_server,established; content:"/iisadmin";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /scripts/iisadmin/default.htm access"; flow:to_server,established;
content:"/scripts/iisadmin/default.htm"; nocase; http_uri;
metadata:ruleset community, service http; classtype:web-applicationattack; sid:994; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ism.dll access"; flow:to_server,established;
content:"/scripts/iisadmin/ism.dll?http/dir"; nocase; http_uri;
reference:cve,1999-1538; reference:cve,2000-0630; classtype:webapplication-attack; sid:995; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS anot.htr access"; flow:to_server,established;
content:"/iisadmpwd/anot"; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS asp-dot attempt"; flow:to_server,established; content:".asp.";
reference:bugtraq,1814; reference:nessus,10363; classtype:webapplication-attack; sid:997; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS asp-srch attempt"; flow:to_server,established; content:"|23|
filename=*.asp"; nocase; http_uri; metadata:ruleset community, service
http; classtype:web-application-attack; sid:998; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS bdir access"; flow:to_server,established;
content:"/scripts/iisadmin/bdir.htr"; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,2280; classtype:webapplication-activity; sid:999; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP carbo.dll access"; flow:to_server,established;
content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS cmd.exe access"; flow:to_server,established; content:"cmd.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS cmd? access"; flow:to_server,established; content:".cmd?&";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS codebrowser Exair access"; flow:to_server,established;
content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS codebrowser SDK access"; flow:to_server,established;
content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri;
rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Form_JScript.asp access"; flow:to_server,established;
content:"/Form_JScript.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|
*.*"; fast_pattern:only; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS directory listing"; flow:to_server,established;
content:"/ServerVariables_Jscript.asp"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS encoding access"; flow:to_server,established; content:"%1u";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS exec-src access"; flow:to_server,established; content:"|23|
filename=*.exe"; fast_pattern:only; metadata:ruleset community, service

http; classtype:web-application-activity; sid:1011; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS fpcount attempt"; flow:to_server,established; content:"/fpcount.exe";
fast_pattern; nocase; http_uri; content:"Digits="; nocase;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS fpcount access"; flow:to_server,established; content:"/fpcount.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS getdrvs.exe access"; flow:to_server,established;
content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS global.asa access"; flow:to_server,established;
content:"/global.asa"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,2000-0778; reference:cve,2001-0004;
reference:nessus,10491; reference:nessus,10991;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS idc-srch attempt"; flow:to_server,established; content:"|23|
filename=*.idc"; fast_pattern:only; metadata:ruleset community, service
http; reference:cve,1999-0874; classtype:web-application-attack;
sid:1017; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS iisadmpwd attempt"; flow:to_server,established;
content:"/iisadmpwd/aexp"; nocase; http_uri; metadata:ruleset community,
rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Malformed Hit-Highlighting Argument File Access Attempt";
flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri;
pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i";
content:"CiRestriction=none"; fast_pattern; nocase; http_uri;
content:"ciHiliteType=Full"; nocase; http_uri; metadata:ruleset
reference:url,www.securityfocus.com/archive/1/43762; classtype:webapplication-attack; sid:1019; rev:30;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS isc$data attempt"; flow:to_server,established; content:".idc|3A 3A
24|data"; nocase; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ism.dll attempt"; flow:to_server,established; content:" .htr";
nocase; http_uri; pcre:"/\s{230,}\.htr/U"; metadata:ruleset community,

reference:nessus,10680; reference:url,technet.microsoft.com/enus/security/bulletin/MS00-031; classtype:web-application-attack;
sid:1021; rev:29;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS jet vba access"; flow:to_server,established;
content:"/advworks/equipment/catalog_type.asp"; nocase; http_uri;
reference:cve,1999-0874; reference:url,technet.microsoft.com/enus/security/bulletin/ms99-030; classtype:web-application-activity;
sid:1022; rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS msadcs.dll access"; flow:to_server,established;
content:"/msadcs.dll"; nocase; http_uri; metadata:ruleset community,
sid:1023; rev:25;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS newdsn.exe access"; flow:to_server,established;
content:"/scripts/tools/newdsn.exe"; nocase; http_uri; metadata:ruleset
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS perl access"; flow:to_server,established; content:"/scripts/perl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS perl-browse newline attempt"; flow:to_server,established; content:"|
0A|.pl"; nocase; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS perl-browse space attempt"; flow:to_server,established; content:"
.pl"; nocase; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS query.asp access"; flow:to_server,established;
content:"/issamples/query.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS scripts-browse access"; flow:to_server,established;
content:"/scripts/ "; fast_pattern:only; metadata:ruleset community,
service http; reference:nessus,11032; classtype:web-application-attack;
sid:1029; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS search97.vts access"; flow:to_server,established;
content:"/search97.vts"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,162; classtype:web-application-activity;
sid:1030; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /SiteServer/Publishing/viewcode.asp access";
content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS showcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase;
http_uri; metadata:ruleset community, service http; reference:cve,19990737; reference:nessus,10576; reference:url,technet.microsoft.com/enus/security/bulletin/ms99-013; classtype:web-application-activity;
sid:1032; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode access"; flow:to_server,established;
content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp";
content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.as
p"; nocase; http_uri; metadata:ruleset community, service http;
content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri;
sid:1035; rev:20;)
content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri;
sid:1036; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS showcode.asp access"; flow:to_server,established;
content:"/showcode.asp"; nocase; http_uri; metadata:ruleset community,
reference:nessus,10007; reference:url,technet.microsoft.com/enus/security/bulletin/MS99-013; classtype:web-application-activity;
sid:1037; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS site server config access"; flow:to_server,established;
content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS srch.htm access"; flow:to_server,established;
content:"/samples/isapi/srch.htm"; nocase; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS srchadm access"; flow:to_server,established; content:"/srchadm";
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS uploadn.asp access"; flow:to_server,established;
content:"/scripts/uploadn.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS view source via translate header"; flow:to_server,established;
content:"Translate|3A| F"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS viewcode.asp access"; flow:to_server,established;
content:"/viewcode.asp"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-0737; reference:nessus,10576;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS webhits access"; flow:to_server,established; content:".htw";
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVERIIS Unauthorized IP Access Attempt"; flow:to_client,established;
content:"403"; content:"Forbidden|3A|"; metadata:ruleset community,
service http; classtype:web-application-attack; sid:1045; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS site/iisamples access"; flow:to_server,established;
content:"/site/iisamples"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,10370; classtype:web-application-activity;
sid:1046; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise DOS"; flow:to_server,established;
content:"REVLOG / "; depth:9; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise directory listing attempt";
flow:to_server,established; content:"INDEX "; depth:6; metadata:ruleset
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established;
content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service
http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:webapplication-attack; sid:1050; rev:17;)

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILEOTHER technote main.cgi file directory traversal attempt";
flow:to_server,established; content:"/technote/main.cgi"; fast_pattern;
nocase; http_uri; content:"filename="; nocase; content:"../../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP technote print.cgi directory traversal attempt";
flow:to_server,established; content:"/technote/print.cgi"; fast_pattern;
nocase; http_uri; content:"board="; nocase; content:"../../";
http_raw_uri; content:"%00"; http_raw_uri; metadata:ruleset community,
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ads.cgi command execution attempt"; flow:to_server,established;
content:"/ads.cgi"; fast_pattern; nocase; http_uri; content:"file=";
nocase; content:"../../"; http_raw_uri; content:"|7C|"; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP weblogic/tomcat .jsp view source attempt";
flow:to_server,established; content:".jsp"; nocase; http_uri;
pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:ruleset community, service
http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat view source attempt"; flow:to_server,established;
content:"%252ejsp"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL ftp
attempt"; flow:to_server,established; content:"ftp.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn";
xp_filelist attempt"; flow:to_server,established; content:"xp_filelist";
xp_availablemedia attempt"; flow:to_server,established;
content:"xp_availablemedia"; fast_pattern:only; metadata:ruleset
community, service http; classtype:web-application-attack; sid:1060;
rev:12;)
xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell";

reference:bugtraq,5309; classtype:web-application-attack; sid:1061;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rcmd attempt"; flow:to_server,established; content:"rcmd.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP net attempt"; flow:to_server,established; content:"net.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe";
xp_regread attempt"; flow:to_server,established; content:"xp_regread";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH
"; depth:8; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .htpasswd access"; flow:to_server,established;
content:".htpasswd"; fast_pattern:only; metadata:ruleset community,
service http; classtype:web-application-attack; sid:1071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Domino directory traversal"; flow:to_server,established;
content:".nsf/"; http_uri; content:"../"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webhits.exe access"; flow:to_server,established;
content:"/scripts/samples/search/webhits.exe"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS postinfo.asp access"; flow:to_server,established;
content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS repost.asp access"; flow:to_server,established;
content:"/scripts/repost.asp"; nocase; http_uri; metadata:ruleset
queryhit.htm access"; flow:to_server,established;
content:"/samples/search/queryhit.htm"; fast_pattern:only; http_uri;
counter.exe access"; flow:to_server,established; content:"/counter.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OSWINDOWS Microsoft Windows WebDAV propfind access";
flow:to_server,established; content:"propfind"; nocase;
pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/iR";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP unify eWave ServletExec upload"; flow:to_server,established;
content:"/servlet/com.unify.servletexec.UploadServlet";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Servers suite DOS"; flow:to_server,established;
content:"/dsgw/bin/search?context="; fast_pattern:only; http_uri;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP amazon 1-click cookie theft"; flow:to_server,established;
content:"ref%3Cscript%20language%3D%22Javascript"; fast_pattern:only;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP unify eWave ServletExec DOS"; flow:to_server,established;
content:"/servlet/ServletExec"; fast_pattern:only; http_uri;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Allaire JRUN DOS attempt"; flow:to_server,established;
content:"servlet/......."; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE
FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community, service
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP strings overflow"; flow:to_server,established; content:"?
STRENGUR"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP eXtropia webstore directory traversal";
flow:to_server,established; content:"/web_store.cgi"; http_uri;
content:"page=../"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shopping cart directory traversal"; flow:to_server,established;
content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established;
content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri;
content:"config.ini"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established;
content:"??????????"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Armada Style Master Index directory traversal";
flow:to_server,established; content:"/search.cgi?"; nocase; http_uri;
content:"keys"; distance:0; nocase; http_uri; content:"catigory=../";
nocase; metadata:ruleset community, service http; reference:bugtraq,1772;
reference:url,www.synnergy.net/downloads/advisories/SLA-200016.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cached_feed.cgi moreover shopping cart directory traversal";
flow:to_server,established; content:"/cached_feed.cgi"; http_uri;
content:"../"; http_raw_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Talentsoft Web+ Source Code view access";
flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri;
content:"script=test.wml"; distance:0; nocase; http_uri; metadata:ruleset
community, service http; reference:bugtraq,1722;
reference:url,archives.neohapsis.com/archives/ntbugtraq/2000q3/0168.html; classtype:web-application-attack; sid:1095; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Talentsoft Web+ internal IP Address access";
flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri;
content:"about"; distance:0; nocase; http_uri; metadata:ruleset
reference:url,archives.neohapsis.com/archives/ntbugtraq/2000q3/0168.html; classtype:web-application-activity; sid:1096; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established;
content:"/webplus.cgi?"; nocase; http_uri;
content:"Script=/webplus/webping/webping.wml"; distance:0; nocase;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SmartWin CyberOffice Shopping Cart access";
flow:to_server,established; content:"_private/shopping_cart.mdb";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established;
content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset
rev:17;)
(msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established;
content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nessus 1.X 404 probe"; flow:to_server,established;
content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape admin passwd"; flow:to_server,established;
content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BigBrother access"; flow:to_server,established; content:"/bbhostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Poll-it access"; flow:to_server,established;
content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ftp.pl access"; flow:to_server,established; content:"/ftp.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat server snoop access"; flow:to_server,established;
content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ROXEN directory list attempt"; flow:to_server,established;
content:"/%00"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP apache source.asp file access"; flow:to_server,established;
content:"/site/eg/source.asp"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat server exploit access"; flow:to_server,established;
content:"/contextAdmin/contextAdmin.html"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ICQ webserver DOS"; flow:to_server,established;
content:".html/......"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-0474;
reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Lotus DelDoc attempt"; flow:to_server,established; content:"?
DeleteDocument"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; classtype:attempted-recon; sid:1116; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Lotus EditDoc attempt"; flow:to_server,established; content:"?
EditDocument"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase;
metadata:ruleset community, service http; classtype:attempted-recon;
sid:1118; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mlog.phtml access"; flow:to_server,established;
content:"/mlog.phtml"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mylog.phtml access"; flow:to_server,established;
content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /etc/passwd file access attempt"; flow:to_server,established;
content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ?PageServices access"; flow:to_server,established; content:"?
PageServices"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ecommerce check.txt access"; flow:to_server,established;
content:"/config/check.txt"; fast_pattern:only; http_uri;
sid:1124; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webcart access"; flow:to_server,established; content:"/webcart/";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AuthChangeUrl access"; flow:to_server,established;
content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP convert.bas access"; flow:to_server,established;
content:"/scripts/convert.bas"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cpshost.dll access"; flow:to_server,established;
content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .htaccess access"; flow:to_server,established;
content:".htaccess"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP
Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|
9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community;

(msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0;
flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum admin access"; flow:to_server,established;
content:"/admin.php3"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cd.."; flow:to_server,established; content:"cd.."; nocase;
sid:1136; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum authentication access"; flow:to_server,established;
content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./";
metadata:ruleset community, service http;
reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP guestbook.pl access"; flow:to_server,established;
content:"/guestbook.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP handler access"; flow:to_server,established; content:"/handler";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /.... access"; flow:to_server,established; content:"/....";
sid:1142; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP root access"; flow:to_server,established; content:"/~root";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ecommerce import.txt access"; flow:to_server,established;
content:"/config/import.txt"; fast_pattern:only; http_uri;
sid:1146; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cat_ access"; flow:to_server,established; content:"cat ";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ecommerce import.txt access"; flow:to_server,established;
content:"/orders/import.txt"; fast_pattern:only; http_uri;
sid:1148; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP count.cgi access"; flow:to_server,established;
content:"/count.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino catalog.nsf access"; flow:to_server,established;
content:"/catalog.nsf"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:nessus,10629; classtype:attemptedrecon; sid:1150; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino domcfg.nsf access"; flow:to_server,established;
content:"/domcfg.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino domlog.nsf access"; flow:to_server,established;
content:"/domlog.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino log.nsf access"; flow:to_server,established;
content:"/log.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino names.nsf access"; flow:to_server,established;
content:"/names.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ecommerce checks.txt access"; flow:to_server,established;
content:"/orders/checks.txt"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP apache directory disclosure attempt"; flow:to_server,established;
content:"////////"; fast_pattern:only; content:"////////"; http_raw_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape PublishingXpert access"; flow:to_server,established;
content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP windmail.exe access"; flow:to_server,established;
content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webplus access"; flow:to_server,established; content:"/webplus?
script"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:bugtraq,1174; reference:bugtraq,1720;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape dir index wp"; flow:to_server,established; content:"?
wp-"; fast_pattern:only; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP piranha passwd.php3 access"; flow:to_server,established;
content:"/passwd.php3"; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cart 32 AdminPwd access"; flow:to_server,established;
content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webdist.cgi access"; flow:to_server,established;
content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shopping cart access"; flow:to_server,established;
content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established;
content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ws_ftp.ini access"; flow:to_server,established;
content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rpm_query access"; flow:to_server,established;
content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mall log order access"; flow:to_server,established;
content:"/mall_log_files/order.log"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bigconf.cgi access"; flow:to_server,established;
content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP architext_query.pl access"; flow:to_server,established;
content:"/ews/architext_query.pl"; fast_pattern:only; http_uri;
reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.t
xt; classtype:attempted-recon; sid:1173; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgibin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wwwboard.pl access"; flow:to_server,established;
content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Netscape Enterprise Server directory view";
flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum read access"; flow:to_server,established;
content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum violation access"; flow:to_server,established;
content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP get32.exe access"; flow:to_server,established;
content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Annex Terminal DOS attempt"; flow:to_server,established;
content:"/ping?query="; http_uri; metadata:ruleset community, service
http; reference:cve,1999-1070; reference:nessus,10017;

flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only;
flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bizdbsearch attempt"; flow:to_server,established;
content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri;
content:"mail"; nocase; http_uri; metadata:ruleset community, service
rev:23;)
flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SalesLogix Eviewer web command attempt";
flow:to_server,established; content:"/slxweb.dll/admin?command=";
flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only;
flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only;
flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only;
flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Trend Micro OfficeScan access"; flow:to_server,established;
content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP oracle web arbitrary command execution attempt";
flow:to_server,established; content:"/ows-bin/"; nocase; http_uri;
content:"?&"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sojourn.cgi File attempt"; flow:to_server,established;
content:"/sojourn.cgi?"; nocase; http_uri; content:"cat="; distance:0;
nocase; http_uri; content:"%00"; nocase; metadata:ruleset community,
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sojourn.cgi access"; flow:to_server,established;
content:"/sojourn.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SGI InfoSearch fname attempt"; flow:to_server,established;
content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri;
content:"fname="; nocase; http_uri; metadata:ruleset community, service
rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum code access"; flow:to_server,established;
content:"/code.php3"; fast_pattern:only; http_uri; metadata:ruleset
flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only;
Compaq Insight directory traversal"; flow:to_server,established;
content:"../"; metadata:ruleset community; reference:bugtraq,282;
rev:17;)
(msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established;
file_data; content:"Invalid URL"; nocase; metadata:ruleset community,
service http; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200;

rev:17;)
(msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established;
content:"403"; http_stat_code; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.vts access"; flow:to_server,established;
content:"/search.vts"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,162; classtype:attempted-recon; sid:1202;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ax-admin.cgi access"; flow:to_server,established; content:"/axadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP axs.cgi access"; flow:to_server,established; content:"/axs.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cachemgr.cgi access"; flow:to_server,established;
content:"/cachemgr.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htgrep access"; flow:to_server,established; content:"/htgrep";
http_uri; metadata:ruleset community, service http; reference:cve,20000832; reference:nessus,10495; classtype:web-application-activity;
sid:1207; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP responder.cgi access"; flow:to_server,established;
content:"/responder.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .nsconfig access"; flow:to_server,established;
content:"/.nsconfig"; http_uri; metadata:ruleset community, service http;
reference:url,osvdb.org/show/osvdb/5709; classtype:attempted-recon;
sid:1209; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP web-map.cgi access"; flow:to_server,established; content:"/webmap.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Admin_files access"; flow:to_server,established;
content:"/admin_files"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP backup access"; flow:to_server,established; content:"/backup";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP intranet access"; flow:to_server,established;
content:"/intranet/"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ministats admin access"; flow:to_server,established;
content:"/ministats/admin.cgi"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP filemail access"; flow:to_server,established; content:"/filemail";
reference:url,www.securityfocus.com/archive/1/11175; classtype:attemptedrecon; sid:1216; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP plusmail access"; flow:to_server,established; content:"/plusmail";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP adminlogin access"; flow:to_server,established;
content:"/adminlogin"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dfire.cgi access"; flow:to_server,established;
content:"/dfire.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ultraboard access"; flow:to_server,established;
content:"/ultraboard"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Muscat Empower cgi access"; flow:to_server,established;
content:"/empower?DB"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pals-cgi arbitrary file access attempt";
flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase;
http_uri; content:"documentName="; http_uri; metadata:ruleset community,
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ROADS search.pl attempt"; flow:to_server,established;
content:"/ROADS/cgi-bin/search.pl"; http_uri; content:"form="; nocase;

# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic
Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1";
sid:1225; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen";
flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|";
fast_pattern:only; metadata:ruleset community; classtype:unknown;
sid:1226; rev:13;)
CWD ..."; flow:to_server,established; content:"CWD"; nocase;
content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP VirusWall FtpSave access"; flow:to_server,established;
content:"/FtpSave.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP VirusWall catinfo access"; flow:to_server,established;
content:"/catinfo"; fast_pattern:only; http_uri; metadata:ruleset
VirusWall catinfo access"; flow:to_server,established;
content:"/catinfo"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established;
content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established;
content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS
RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS";
content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS
overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF
FF|"; fast_pattern:only; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SWEditServlet directory traversal attempt";
flow:to_server,established; content:"/SWEditServlet"; http_uri;
content:"template=../../../"; metadata:ruleset community, service http;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .ida access"; flow:to_server,established; content:".ida";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ISAPI .idq access"; flow:to_server,established; content:".idq";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage rad fp30reg.dll access";
flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage rad fp4areg.dll access";
flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER
Cisco IOS HTTP configuration attempt"; flow:to_server,established;
content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|
configure)/iU"; metadata:ruleset community, service http;
bsd telnet exploit response"; flow:to_client,established; content:"|0D
0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes;
metadata:ruleset community, service telnet; reference:bugtraq,3064;
bsd exploit client finishing"; flow:to_server,established; dsize:>200;
content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes;
reference:cve,2001-0554; reference:nessus,10709; classtype:successfuladmin; sid:1253; rev:23;)

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHPLIB remote command attempt"; flow:to_server,established;
content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community,
# alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVERWEBAPP PHPLIB remote command attempt"; flow:to_server,established;
content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS CodeRed v2 root.exe access"; flow:to_server,established;
content:"/root.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:url,www.cert.org/advisories/CA-2001-19.html;
Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community;
reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos;
sid:1257; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SWEditServlet access"; flow:to_server,established;
content:"/SWEditServlet"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX
pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F
FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8
3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community;
admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sid:1262; rev:16;)
amountd request TCP"; flow:to_server,established; content:"|00 01 86
reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,19990493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263;
rev:18;)
bootparam request TCP"; flow:to_server,established; content:"|00 01 86
01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;

sid:1264; rev:21;)
cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
sid:1265; rev:16;)
nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
sid:1267; rev:18;)
pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sid:1269; rev:17;)
rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sid:1270; rev:18;)
rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sadmind request TCP"; flow:to_server,established; content:"|00 01 86
sid:1272; rev:17;)
selection_svc request TCP"; flow:to_server,established; content:"|00 01

content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4;
reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmapdecode; sid:1273; rev:17;)
ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86
yppasswd request TCP"; flow:to_server,established; content:"|00 01 86
sid:1275; rev:17;)
ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00
00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc;
# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC

portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Microsoft Office Outlook web dos"; flow:to_server,established;
content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri;
content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community,
service http; reference:bugtraq,3223; classtype:web-application-attack;
sid:1283; rev:21;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER
readme.eml download attempt"; flow:to_server,established;
content:"/readme.eml"; nocase; http_uri; metadata:ruleset community,
service http; reference:url,www.cert.org/advisories/CA-2001-26.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS msdac access"; flow:to_server,established; content:"/msdac/"; nocase;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS _mem_bin access"; flow:to_server,established; content:"/_mem_bin/";
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established;
content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community,
sid:1288; rev:16;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll";
flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll";
offset:2; nocase; metadata:ruleset community;
classtype:successful-admin; sid:1289; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER
readme.eml autoload attempt"; flow:to_client,established; file_data;
content:"window.open|28 22|readme.eml|22|"; nocase; metadata:ruleset
community, service http; reference:url,www.cert.org/advisories/CA-200126.html; classtype:attempted-user; sid:1290; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sml3com access"; flow:to_server,established;
content:"/graphics/sml3com"; http_uri; metadata:ruleset community,
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
directory listing"; flow:established; content:"Volume Serial Number";
metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;)
nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|
H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset
community; reference:url,www.f-secure.com/v-descs/nimda.shtml;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admin.php file upload attempt"; flow:to_server,established;
content:"/admin.php"; fast_pattern; nocase; http_uri;
content:"file_name="; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admin.php access"; flow:to_server,established;
content:"/admin.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP console.exe access"; flow:to_server,established; content:"/cgibin/console.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cs.exe access"; flow:to_server,established; content:"/cgibin/cs.exe"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP txt2html.cgi access"; flow:to_server,established;
content:"/txt2html.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP txt2html.cgi directory traversal attempt";
flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only;
http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP store.cgi access"; flow:to_server,established;
content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sendmessage.cgi access"; flow:to_server,established;
content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP zsh access"; flow:to_server,established; content:"/zsh";
rwhoisd format string attempt"; flow:to_server,established; content:"-soa
%p"; metadata:ruleset community; reference:bugtraq,3474;
reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack;
sid:1323; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established;
content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcodedetect; sid:1324; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow filler"; flow:to_server,established;
content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established;
content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATORSHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00
01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14;
offset:8; metadata:ruleset community; reference:bugtraq,2347;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .htgroup access"; flow:to_server,established; content:".htgroup";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sadmind worm access"; flow:to_server,established; content:"GET x
HTTP/1.0"; depth:15; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP jrun directory browse attempt"; flow:to_server,established;
content:"/?.jsp"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp
bad file completion attempt"; flow:to_server,established; content:"~";
content:"["; distance:0; metadata:ruleset community, service ftp;
sid:1377; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp
bad file completion attempt"; flow:to_server,established; content:"~";
content:"{"; distance:0; metadata:ruleset community, service ftp;
sid:1378; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT
overflow attempt"; flow:to_server,established; content:"STAT"; nocase;
isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi";
reference:url,labs.defcom.com/adv/2001/def-2001-31.txt;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Form_VBScript.asp access"; flow:to_server,established;
content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established;
content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri;
content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only;
reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;)
# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap
parse overflow attempt"; flow:to_server,established; content:"PRIVMSG";
fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY";
nocase; isdataat:100,relative;
pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset
community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt;
classtype:misc-attack; sid:1382; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS
Microsoft Windows UPnP malformed advertisement"; flow:to_server;
content:"NOTIFY * "; fast_pattern:only; content:"LOCATION|3A|"; nocase;
detection_filter:track by_dst, count 10, seconds 1; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mod-plsql administration access"; flow:to_server,established;
content:"/admin_/"; http_uri; metadata:ruleset community, service http;
raiserror possible buffer overflow"; flow:to_server,established;
content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32;
reference:cve,2001-0542; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-060; classtype:attempted-user; sid:1386;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror
possible buffer overflow"; flow:to_server,established; content:"r|00|a|
00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,3733; reference:cve,20010542; reference:nessus,11217; classtype:attempted-user; sid:1387;
rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft
Windows UPnP Location overflow attempt"; content:"Location";
fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?
[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723;

x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:ruleset
community; classtype:shellcode-detect; sid:1390; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP lastlines.cgi access"; flow:to_server,established;
content:"/lastlines.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"POLICY-SOCIAL AIM
AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?";
reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/;
x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
metadata:ruleset community; classtype:shellcode-detect; sid:1394;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP zml.cgi attempt"; flow:to_server,established; content:"/zml.cgi";
http_uri; content:"file=../"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP zml.cgi access"; flow:to_server,established; content:"/zml.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wayboard attempt"; flow:to_server,established; content:"/wayboard/way-board.cgi"; http_uri; content:"db="; http_uri; content:"../..";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE
dtspcd exploit attempt"; flow:to_server,established; content:"1";
depth:1; offset:10; content:!"000"; depth:3; offset:11; metadata:ruleset
reference:nessus,10833; reference:url,www.cert.org/advisories/CA-200201.html; classtype:misc-attack; sid:1398; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established;
content:"/index.php"; fast_pattern; nocase; http_uri; content:"file=";
http_uri; pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /scripts/samples/ access"; flow:to_server,established;
content:"/scripts/samples/"; nocase; http_uri; metadata:ruleset
community, service http; reference:nessus,10370; classtype:webapplication-attack; sid:1400; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /msadc/samples/ access"; flow:to_server,established;
content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community,
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS iissamples access"; flow:to_server,established;
content:"/iissamples/"; nocase; http_uri; metadata:ruleset community,
sid:1402; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AHG search.cgi access"; flow:to_server,established;
content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri;
content:"template="; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP agora.cgi access"; flow:to_server,established;
content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP smssend.php access"; flow:to_server,established;
content:"/smssend.php"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:webapplication-activity; sid:1407; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC
attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP
community string buffer overflow attempt"; flow:to_server; content:"|02
01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp;
reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-200203.html; classtype:misc-attack; sid:1409; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dcboard.cgi access"; flow:to_server,established;
content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public
access udp"; flow:to_server; content:"|06|public"; metadata:ruleset
community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public
access tcp"; flow:to_server,established; content:"public";
metadata:ruleset community, service snmp; reference:bugtraq,2112;
reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,20020013; classtype:attempted-recon; sid:1412; rev:20;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP

private access udp"; flow:to_server; content:"private"; metadata:ruleset
community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP
private access tcp"; flow:to_server,established; content:"private";
# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast
request"; flow:to_server; metadata:ruleset community, service snmp;
# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast
trap"; flow:to_server; metadata:ruleset community, service snmp;
request udp"; flow:to_server; metadata:ruleset community, service snmp;
request tcp"; flow:stateless; metadata:ruleset community, service snmp;
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap
udp"; flow:to_server; metadata:ruleset community, service snmp;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap
tcp"; flow:stateless; metadata:ruleset community, service snmp;
AgentX/tcp request"; flow:stateless; metadata:ruleset community, service
snmp; reference:bugtraq,4088; reference:bugtraq,4089;
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP
community string buffer overflow attempt with evasion"; flow:to_server;
content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community,
service snmp; reference:bugtraq,4088; reference:bugtraq,4089;
reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:miscattack; sid:1422; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP content-disposition memchr overflow"; flow:to_server,established;
content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22

CC CC CC CC CC|"; fast_pattern:only; metadata:ruleset community, service
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP content-disposition file upload attempt";
flow:to_server,established; content:"Content-Disposition|3A|"; nocase;
http_header; content:"form-data|3B|"; fast_pattern:only; metadata:ruleset
rev:22;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS
test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02
01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|";
fast_pattern:only; metadata:ruleset community, service snmp;
reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/ind
ex.html; classtype:misc-attack; sid:1426; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS
test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|
06|"; fast_pattern:only; metadata:ruleset community, service snmp;
reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/ind
ex.html; classtype:misc-attack; sid:1427; rev:12;)
# alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA
audio galaxy keepalive"; flow:established; content:"E_|00 03 05|";
rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella
client request"; flow:to_server,established; content:"GNUTELLA"; depth:8;
metadata:ruleset community; classtype:policy-violation; sid:1432;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .history access"; flow:to_server,established; content:"/.history";
http_uri; metadata:ruleset community, service http; classtype:webapplication-attack; sid:1433; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .bash_history access"; flow:to_server,established;
content:"/.bash_history"; http_uri; metadata:ruleset community, service
http; reference:bugtraq,337; reference:cve,1999-0408; classtype:webapplication-attack; sid:1434; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named
authors attempt"; flow:to_server,established; content:"|07|authors";
offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase;
metadata:ruleset community, service dns; reference:nessus,10728;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICYMULTIMEDIA Apple Quicktime User Agent access";
flow:to_server,established; content:"User-Agent|3A| Quicktime";
classtype:policy-violation; sid:1436; rev:12;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIDENTIFY Microsoft Windows Media download detected";
flow:to_client,established; content:"Content-Type|3A|"; nocase;
http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|
asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH";
metadata:ruleset community, service ftp-data, service http, service imap,
service pop3; classtype:misc-activity; sid:1437; rev:27;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICYMULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established;
content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls";
within:50; fast_pattern; nocase; http_header; metadata:ruleset community,
service http; classtype:policy-violation; sid:1439; rev:17;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICYMULTIMEDIA Icecast playlist redirection"; flow:to_client,established;
content:"Content-type|3A|"; nocase; http_header; content:"audio/xmpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset
community, service http; classtype:policy-violation; sid:1440; rev:17;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe";
flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2;
nocase; metadata:ruleset community; classtype:successful-admin; sid:1441;
rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow";
flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2;
rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd";
flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get";
flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community;
FTP file_id.diz access possible warez site"; flow:to_server,established;
content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase;
metadata:ruleset community, service ftp; classtype:suspicious-filenamedetect; sid:1445; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy
root"; flow:to_server,established; content:"vrfy"; nocase;
content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi";
metadata:ruleset community, service smtp; classtype:attempted-recon;
sid:1446; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER
Microsoft Windows Terminal server RDP attempt";
flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|";
depth:11; metadata:ruleset community; reference:bugtraq,3099;
Microsoft Windows Terminal server request attempt";
flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0
00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community;
reference:nessus,10940; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS01-052; classtype:protocol-command-decode;
sid:1448; rev:19;)
Vintra Mailserver expn *@"; flow:to_server,established; content:"expn";
fast_pattern:only; content:"*@"; pcre:"/êxpn\s+\*@/smi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP NPH-maillist access"; flow:to_server,established; content:"/nphmaillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP args.cmd access"; flow:to_server,established; content:"/args.cmd";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AT-generated.cgi access"; flow:to_server,established;
content:"/AT-generated.cgi"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP wwwwais access"; flow:to_server,established; content:"/wwwwais";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar.pl access"; flow:to_server,established;
content:"calendar"; nocase; http_uri; pcre:"/calendar(|[_]admin)\.pl/Ui"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calender_admin.pl access"; flow:to_server,established;
content:"/calender_admin.pl"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP user_update_admin.pl access"; flow:to_server,established;
content:"/user_update_admin.pl"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP user_update_passwd.pl access"; flow:to_server,established;
content:"/user_update_passwd.pl"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-histlog.sh access"; flow:to_server,established; content:"/bbhistlog.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bbhistsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bbrep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bbreplog.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL
IRC message"; flow:established; dsize:<140; content:"PRIVMSG ";
rev:15;)
# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE oracle one hour install"; flow:to_client,established;
content:"Oracle Applications One-Hour Install"; metadata:ruleset
community; reference:nessus,10737; classtype:bad-unknown; sid:1464;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP auktion.cgi access"; flow:to_server,established;
content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiforum.pl access"; flow:to_server,established;
content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP directorypro.cgi access"; flow:to_server,established;
content:"/directorypro.cgi"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established;
content:"/shopper.cgi"; fast_pattern; nocase; http_uri;
content:"newpage=../"; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Web Shopper shopper.cgi access"; flow:to_server,established;
content:"/shopper.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP listrec.pl access"; flow:to_server,established;
content:"/listrec.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailnews.cgi access"; flow:to_server,established;
content:"/mailnews.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP book.cgi access"; flow:to_server,established; content:"/book.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newsdesk.cgi access"; flow:to_server,established;
content:"/newsdesk.cgi"; fast_pattern:only; http_uri; content:"../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cal_make.pl access"; flow:to_server,established;
content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailit.pl access"; flow:to_server,established;
content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sdbsearch.cgi access"; flow:to_server,established;
content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:nessus,10503; reference:nessus,10720; classtype:attemptedrecon; sid:1476; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt";
flow:to_server,established; content:"/swc"; nocase; http_uri;
content:"ctr="; distance:0; nocase; http_uri; urilen:>500;
reference:nessus,10493; reference:url,osvdb.org/show/osvdb/392;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established;
content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttawebtop.cgi access"; flow:to_server,established;
content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP upload.cgi access"; flow:to_server,established;
content:"/upload.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP view_source access"; flow:to_server,established;
content:"/view_source"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ustorekeeper.pl access"; flow:to_server,established;
content:"/ustorekeeper.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS mkilog.exe access"; flow:to_server,established;
content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community,
service http; reference:nessus,10359;
reference:url,osvdb.org/show/osvdb/274; classtype:web-applicationactivity; sid:1485; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ctss.idc access"; flow:to_server,established; content:"/ctss.idc";
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /iisadmpwd/aexp2.htr access"; flow:to_server,established;
content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP store.cgi directory traversal attempt";
flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase;
http_uri; content:"../"; http_raw_uri; metadata:ruleset community,
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nobody access"; flow:to_server,established; content:"/~nobody";
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum /support/common.php attempt"; flow:to_server,established;
content:"/support/common.php"; http_uri; content:"ForumLang=../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Phorum /support/common.php access"; flow:to_server,established;
content:"/support/common.php"; fast_pattern:only; http_uri;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP RBS ISP /newuser directory traversal attempt";
flow:to_server,established; content:"/newuser?Image=../.."; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP RBS ISP /newuser access"; flow:to_server,established;
content:"/newuser"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established;
content:"/generate.cgi"; http_uri; content:"content=../";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SIX webboard generate.cgi access"; flow:to_server,established;
content:"/generate.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP spin_client.cgi access"; flow:to_server,established;
content:"/spin_client.cgi"; fast_pattern:only; http_uri; metadata:ruleset
SiteScope Service access"; flow:to_server,established;
content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ExAir access"; flow:to_server,established;
content:"/exair/search/"; fast_pattern:only; http_uri; metadata:ruleset
reference:nessus,10002; reference:nessus,10003; reference:nessus,10004;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP a1stats a1disp3.cgi directory traversal attempt";
flow:to_server,established; content:"/a1disp3.cgi?"; fast_pattern:only;
http_uri; content:"/../../"; http_raw_uri; metadata:ruleset community,
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP a1stats a1disp3.cgi access"; flow:to_server,established;
content:"/a1disp3.cgi"; http_uri; metadata:ruleset community, service

rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP admentor admin.asp access"; flow:to_server,established;
content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset
reference:nessus,10880;
reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html;
# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS
access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00
00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only;
metadata:ruleset community; reference:nessus,10441; classtype:miscactivity; sid:1504; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alchemy http server PRN arbitrary command execution attempt";
flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri;
content:"../../"; http_raw_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alchemy http server NUL arbitrary command execution attempt";
flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri;
content:"../../"; http_raw_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alibaba.pl arbitrary command execution attempt";
flow:to_server,established; content:"/alibaba.pl|7C|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alibaba.pl access"; flow:to_server,established;
content:"/alibaba.pl"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AltaVista Intranet Search directory traversal attempt";
flow:to_server,established; content:"/query?mss=.."; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test.bat arbitrary command execution attempt";
flow:to_server,established; content:"/test.bat|7C|"; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test.bat access"; flow:to_server,established; content:"/test.bat";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP input.bat arbitrary command execution attempt";
flow:to_server,established; content:"/input.bat|7C|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP input.bat access"; flow:to_server,established;
content:"/input.bat"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP input2.bat arbitrary command execution attempt";
flow:to_server,established; content:"/input2.bat|7C|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP input2.bat access"; flow:to_server,established;
content:"/input2.bat"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP envout.bat arbitrary command execution attempt";
flow:to_server,established; content:"/envout.bat|7C|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP envout.bat access"; flow:to_server,established;
content:"/envout.bat"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
nstelemetry.adp access"; flow:to_server,established;
content:"/nstelemetry.adp"; metadata:ruleset community;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP apache ?M=D directory list attempt"; flow:to_server,established;
content:"/?M=D"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP server-info access"; flow:to_server,established; content:"/serverinfo"; http_uri; metadata:ruleset community, service http;
reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:webapplication-activity; sid:1520; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP server-status access"; flow:to_server,established;
content:"/server-status"; http_uri; metadata:ruleset community, service
http; reference:url,httpd.apache.org/docs/mod/mod_info.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?";
nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Axis Storpoint CD attempt"; flow:to_server,established;
content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community,
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Axis Storpoint CD access"; flow:to_server,established;
content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community,
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP basilix sendmail.inc access"; flow:to_server,established;
content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community,
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP basilix mysql.class access"; flow:to_server,established;
content:"/class/mysql.class"; http_uri; metadata:ruleset community,
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BBoard access"; flow:to_server,established;
content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset
rev:15;)
overflow attempt"; flow:to_server,established; content:"SITE"; nocase;
isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi";
reference:cve,2001-0755; reference:cve,2001-0770; classtype:attemptedadmin; sid:1529; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hist.sh attempt"; flow:to_server,established; content:"/bbhist.sh?"; nocase; http_uri; content:"HISTFILE=../.."; distance:0;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hostscv.sh attempt"; flow:to_server,established; content:"/bbhostsvc.sh?"; fast_pattern:only; http_uri; content:"HOSTSVC"; nocase;
http_uri; content:"../.."; distance:0; http_raw_uri; metadata:ruleset
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb-hostscv.sh access"; flow:to_server,established; content:"/bbhostsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community,
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP agora.cgi attempt"; flow:to_server,established;
content:"/store/agora.cgi?"; nocase; http_uri;
content:"cart_id=<SCRIPT>"; distance:0; nocase; http_uri;
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bizdbsearch access"; flow:to_server,established; content:"/bizdb1search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar_admin.pl arbitrary command execution attempt";
flow:to_server,established; content:"/calendar_admin.pl?"; nocase;
http_uri; content:"config=|7C|"; distance:0; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar_admin.pl access"; flow:to_server,established;
content:"/calendar_admin.pl"; http_uri; metadata:ruleset community,
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP
AUTHINFO USER overflow attempt"; flow:to_server,established;
content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase;
isdataat:200,relative; pcre:"/ÂUTHINFO\s+USER\s[^\n]{200}/smi";
metadata:ruleset community; reference:bugtraq,1156; reference:cve,20000341; reference:nessus,10388; classtype:attempted-admin; sid:1538;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-bin/ls access"; flow:to_server,established; content:"/cgibin/ls"; fast_pattern:only; http_uri; metadata:ruleset community, service
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established;
content:"Mode=debug"; nocase; http_uri; metadata:ruleset community,
version query"; flow:to_server,established; content:"version";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgimail access"; flow:to_server,established; content:"/cgimail";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiwrap access"; flow:to_server,established; content:"/cgiwrap";
reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,20010987; reference:nessus,10041; classtype:web-application-activity;
sid:1543; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cisco Catalyst command execution attempt";
flow:to_server,established; content:"/exec/show/config/cr";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER
Cisco denial of service attempt"; flow:to_server,established; dsize:1;
content:"|13|"; metadata:ruleset community, service http; classtype:webapplication-attack; sid:1545; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cisco HTTP double-percent DOS attempt";
flow:to_server,established; content:"/%%"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csSearch.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/csSearch.cgi"; http_uri;
content:"setup="; content:"`"; content:"`"; distance:1; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csSearch.cgi access"; flow:to_server,established;
content:"/csSearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset

rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL HELO
overflow attempt"; flow:to_server,established; content:"HELO"; nocase;
isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:ruleset
community, service smtp; reference:bugtraq,7726; reference:bugtraq,895;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ETRN
overflow attempt"; flow:to_server,established; content:"ETRN"; nocase;
isdataat:500,relative; pcre:"/ÊTRN\s[^\n]{500}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /CVS/Entries access"; flow:to_server,established;
content:"/CVS/Entries"; http_uri; metadata:ruleset community, service
http; reference:nessus,10922; reference:nessus,11032; classtype:webapplication-activity; sid:1551; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvsweb version access"; flow:to_server,established;
content:"/cvsweb/version"; http_uri; metadata:ruleset community, service
http; reference:cve,2000-0670; reference:nessus,10465; classtype:webapplication-activity; sid:1552; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dbman db.cgi access"; flow:to_server,established;
content:"/dbman/db.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DCShop access"; flow:to_server,established; content:"/dcshop";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DCShop orders.txt access"; flow:to_server,established;
content:"/orders/orders.txt"; fast_pattern:only; http_uri;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DCShop auth_user_file.txt access"; flow:to_server,established;
content:"/auth_data/auth_user_file.txt"; fast_pattern:only; http_uri;
rev:19;)
Delegate whois overflow attempt"; flow:to_server,established;
content:"whois|3A|//"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /doc/packages access"; flow:to_server,established;
content:"/doc/packages"; fast_pattern:only; http_uri; metadata:ruleset

reference:nessus,10518; reference:nessus,11032; classtype:webapplication-activity; sid:1559; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /doc/ access"; flow:to_server,established; content:"/doc/";
CHOWN overflow attempt"; flow:to_server,established; content:"SITE";
nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community,
service ftp; reference:bugtraq,2120; reference:cve,2001-0065;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP login.htm attempt"; flow:to_server,established;
content:"/login.htm?"; nocase; http_uri; content:"password="; distance:0;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP login.htm access"; flow:to_server,established;
content:"/login.htm"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP eshop.pl arbitrary command execution attempt";
flow:to_server,established; content:"/eshop.pl?"; nocase; http_uri;
content:"seite=|3B|"; distance:0; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP eshop.pl access"; flow:to_server,established; content:"/eshop.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /exchange/root.asp attempt"; flow:to_server,established;
content:"/exchange/root.asp?"; nocase; http_uri; content:"acs=anon";
distance:0; nocase; http_uri; metadata:ruleset community, service http;
reference:nessus,10781; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-047; classtype:web-application-attack;
sid:1567; rev:26;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /exchange/root.asp access"; flow:to_server,established;
content:"/exchange/root.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP loadpage.cgi directory traversal attempt";
flow:to_server,established; content:"/loadpage.cgi"; http_uri;
content:"file=../"; fast_pattern:only; metadata:ruleset community,

rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP loadpage.cgi access"; flow:to_server,established;
content:"/loadpage.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dcforum.cgi directory traversal attempt";
flow:to_server,established; content:"/dcforum.cgi"; http_uri;
content:"forum=../.."; metadata:ruleset community, service http;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP commerce.cgi arbitrary file access attempt";
flow:to_server,established; content:"/commerce.cgi"; http_uri;
content:"page="; http_uri; content:"/../"; http_raw_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiforum.pl attempt"; flow:to_server,established;
content:"/cgiforum.pl?"; nocase; http_uri; content:"thesection=../..";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP directorypro.cgi attempt"; flow:to_server,established;
content:"/directorypro.cgi"; http_uri; content:"show="; content:"../..";
distance:1; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino mab.nsf access"; flow:to_server,established;
content:"/mab.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino cersvr.nsf access"; flow:to_server,established;
content:"/cersvr.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino setup.nsf access"; flow:to_server,established;
content:"/setup.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino statrep.nsf access"; flow:to_server,established;
content:"/statrep.nsf"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino webadmin.nsf access"; flow:to_server,established;
content:"/webadmin.nsf"; fast_pattern:only; http_uri; metadata:ruleset
reference:cve,2004-2310; reference:cve,2004-2311; reference:cve,20042369; reference:nessus,10629; classtype:attempted-recon; sid:1579;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino events4.nsf access"; flow:to_server,established;
content:"/events4.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino ntsync4.nsf access"; flow:to_server,established;
content:"/ntsync4.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino collect4.nsf access"; flow:to_server,established;
content:"/collect4.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino mailw46.nsf access"; flow:to_server,established;
content:"/mailw46.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino bookmark.nsf access"; flow:to_server,established;
content:"/bookmark.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino agentrunner.nsf access"; flow:to_server,established;
content:"/agentrunner.nsf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Domino mail.box access"; flow:to_server,established;
content:"/mail.box"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgitest.exe access"; flow:to_server,established;
content:"/cgitest.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SalesLogix Eviewer access"; flow:to_server,established;
content:"/slxweb.dll"; fast_pattern:only; http_uri; metadata:ruleset

reference:cve,2000-0278; reference:cve,2000-0289; classtype:webapplication-activity; sid:1588; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP musicat empower attempt"; flow:to_server,established;
content:"/empower?DB="; fast_pattern:only; http_uri; metadata:ruleset
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP faqmanager.cgi arbitrary file access attempt";
flow:to_server,established; content:"/faqmanager.cgi?"; nocase; http_uri;
content:"toc="; distance:0; nocase; http_uri; content:"|00|";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP faqmanager.cgi access"; flow:to_server,established;
content:"/faqmanager.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /fcgi-bin/echo.exe access"; flow:to_server,established;
content:"/fcgi-bin/echo.exe"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP FormHandler.cgi external site redirection attempt";
flow:to_server,established; content:"/FormHandler.cgi";
fast_pattern:only; http_uri; content:"redirect=http"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP FormHandler.cgi access"; flow:to_server,established;
content:"/FormHandler.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS htimage.exe access"; flow:to_server,established;
content:"/htimage.exe"; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP guestbook.cgi access"; flow:to_server,established;
content:"/guestbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Home Free search.cgi directory traversal attempt";
flow:to_server,established; content:"/search.cgi"; http_uri;

content:"letter=../"; fast_pattern:only; metadata:ruleset community,
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.cgi access"; flow:to_server,established;
content:"/search.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htsearch arbitrary configuration file attempt";
flow:to_server,established; content:"/htsearch?-c"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htsearch arbitrary file read attempt"; flow:to_server,established;
content:"/htsearch?exclude=`"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htsearch access"; flow:to_server,established; content:"/htsearch";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DELETE attempt"; flow:to_server,established; content:"DELETE ";
depth:7; nocase; metadata:ruleset community, service http;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat
directory traversal attempt"; flow:to_server,established;
content:"/../../"; metadata:ruleset community; reference:cve,1999-0897;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty
DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|";
sid:1605; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP icat access"; flow:to_server,established; content:"/icat";
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP HyperSeek hsx.cgi access"; flow:to_server,established;
content:"/hsx.cgi"; http_uri; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htmlscript attempt"; flow:to_server,established;
content:"/htmlscript?../.."; fast_pattern:only; http_uri;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP formmail arbitrary command execution attempt";
flow:to_server,established; content:"/formmail"; fast_pattern; nocase;
http_uri; content:"%0a"; nocase; metadata:ruleset community, service
http; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,19990172; reference:cve,2000-0411; reference:nessus,10076;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP eXtropia webstore access"; flow:to_server,established;
content:"/web_store.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ftp.pl attempt"; flow:to_server,established; content:"/ftp.pl?";
nocase; http_uri; content:"dir=../.."; distance:0; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP handler attempt"; flow:to_server,established; content:"/handler";
http_uri; content:"|7C|"; fast_pattern:only; http_uri; metadata:ruleset
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Novell Groupwise gwweb.exe attempt"; flow:to_server,established;
content:"/GWWEB.EXE?"; nocase; http_uri; content:"HELP="; distance:0;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP htgrep attempt"; flow:to_server,established; content:"/htgrep";
http_uri; content:"hdr=/"; metadata:ruleset community, service http;
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named
version attempt"; flow:to_server; content:"|07|version"; offset:12;
nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset
community, service dns; reference:nessus,10028; classtype:attemptedrecon; sid:1616; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Bugzilla doeditvotes.cgi access"; flow:to_server,established;
content:"/doeditvotes.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .asp chunked Transfer-Encoding"; flow:to_server,established;
content:".asp"; nocase; http_uri; content:"Transfer-Encoding|3A|";
nocase; http_header; content:"chunked"; nocase; http_header;

rev:26;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD
overflow attempt"; flow:to_server,established; content:"CMD"; nocase;
isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi";
metadata:ruleset community, service ftp; classtype:attempted-admin;
sid:1621; rev:20;)
RNFR ././ attempt"; flow:to_server,established; content:"RNFR ";
fast_pattern:only; content:" ././"; metadata:ruleset community, service
ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid
MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only;
pcre:"/^MODE\s+[ÂBSC]{1}/msi"; metadata:ruleset community, service ftp;
reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-commanddecode; sid:1623; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PWD
overflow attempt"; flow:to_server,established; content:"PWD"; nocase;
isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:ruleset
community, service ftp; classtype:protocol-command-decode; sid:1624;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SYST
overflow attempt"; flow:to_server,established; content:"SYST"; nocase;
isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi";
metadata:ruleset community, service ftp;
reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-commanddecode; sid:1625; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established;
content:"/StoreCSVS/InstantOrder.asmx"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP FormHandler.cgi directory traversal attempt attempt";
flow:to_server,established; content:"/FormHandler.cgi"; nocase; http_uri;
content:"reply_message_attach="; fast_pattern:only; content:"/../";
# alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"POLICY-SOCIAL AIM
login"; flow:to_server,established; content:"*|02|"; depth:2; content:"|
00 17 00 06|"; within:8; distance:4; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS
overflow attempt"; flow:to_server,established; content:"PASS"; nocase;
isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,21645; reference:bugtraq,791;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP
overflow attempt"; flow:to_server,established; content:"APOP"; nocase;
isdataat:256,relative; pcre:"/ÂPOP\s[^\n]{256}/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,1652; reference:cve,2000-0840;

Xtramail Username overflow attempt"; flow:to_server,established;
content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/Ûsername\:
[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,791;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP yabb access"; flow:to_server,established; content:"/YaBB";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
Version map attempt"; flow:to_server,established;
content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community;
classtype:network-scan; sid:1638; rev:9;)
IRC DCC file transfer request"; flow:to_server,established;
content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0;
fast_pattern; nocase; metadata:ruleset community; classtype:policyviolation; sid:1639; rev:13;)
IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG ";
nocase; content:" |3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase;
rev:13;)
DB2 dos attempt"; flow:to_server,established; dsize:1; metadata:ruleset
reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP document.d2w access"; flow:to_server,established;
content:"/document.d2w"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP db2www access"; flow:to_server,established; content:"/db2www";
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test-cgi attempt"; flow:to_server,established; content:"/testcgi/*?*"; fast_pattern:only; http_uri; metadata:ruleset community,
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP testcgi access"; flow:to_server,established; content:"/testcgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test.cgi access"; flow:to_server,established; content:"/test.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl.exe command attempt"; flow:to_server,established;
content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP perl command attempt"; flow:to_server,established;
content:"/perl?"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP tst.bat access"; flow:to_server,established; content:"/tst.bat";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP environ.pl access"; flow:to_server,established;
content:"/environ.pl"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP campas attempt"; flow:to_server,established; content:"/campas?|
0A|"; fast_pattern:only; http_uri; metadata:ruleset community, service
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cart32.exe access"; flow:to_server,established;
content:"/cart32.exe"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pfdispaly.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/pfdispaly.cgi?"; nocase; http_uri;
content:"'"; distance:0; nocase; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pfdispaly.cgi access"; flow:to_server,established;
content:"/pfdispaly.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pagelog.cgi directory traversal attempt";
flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri;
content:"name=../"; fast_pattern:only; metadata:ruleset community,

rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pagelog.cgi access"; flow:to_server,established;
content:"/pagelog.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVEROTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established;
content:"/sendmail.cfm"; nocase; http_uri; metadata:ruleset community,
service http; reference:cve,1999-0760; reference:cve,2001-0535;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS trace.axd access"; flow:to_server,established; content:"/trace.axd";
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /~ftp access"; flow:to_server,established; content:"/~ftp";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP *%20.pl access"; flow:to_server,established; content:" .pl";
fast_pattern:only; http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui";
reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm;
reference:url,www.securityfocus.com/archive/1/149482; classtype:webapplication-attack; sid:1663; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mkplog.exe access"; flow:to_server,established;
content:"/mkplog.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
(msg:"INDICATOR-COMPROMISE index of /cgi-bin/ response";
flow:to_client,established; file_data; content:"Index of /cgi-bin/";
nocase; metadata:ruleset community, service http; reference:nessus,10039;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cross site scripting HTML Image tag set to javascript attempt";
flow:to_server,established; content:"img src=javascript";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-bin/ access"; flow:to_server,established; content:"/cgibin/"; http_uri; content:"/cgi-bin/ HTTP"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /cgi-dos/ access"; flow:to_server,established; content:"/cgidos/"; http_uri; content:"/cgi-dos/ HTTP"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /home/ftp access"; flow:to_server,established;
content:"/home/ftp"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /home/www access"; flow:to_server,established;
content:"/home/www"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~
attempt"; flow:to_server,established; content:"CWD"; fast_pattern:only;
pcre:"/^CWD\s+~/smi"; metadata:ruleset community, service ftp;
classtype:denial-of-service; sid:1672; rev:21;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established;
content:"EXECUTE_SYSTEM"; nocase; metadata:ruleset community;
classtype:system-call-detect; sid:1673; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE connect_data remote version detection attempt";
flow:to_server,established; content:"connect_data|28|command=version|
29|"; nocase; metadata:ruleset community; classtype:protocol-commanddecode; sid:1674; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE misparsed login response"; flow:to_client,established;
content:"description=|28|"; nocase; content:!"connect_data=|28|sid=";
nocase; content:!"address=|28|protocol=tcp"; nocase; metadata:ruleset
community; classtype:suspicious-login; sid:1675; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select union attempt"; flow:to_server,established; content:"select
"; nocase; content:" union "; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select like '%' attempt"; flow:to_server,established; content:"
where "; nocase; content:" like '%'"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE select like '%' attempt backslash escaped";
flow:to_server,established; content:" where "; nocase; content:" like |
22|%|22|"; nocase; metadata:ruleset community; classtype:protocolcommand-decode; sid:1678; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE describe attempt"; flow:to_server,established; content:"describe
"; nocase; metadata:ruleset community; classtype:protocol-command-decode;
sid:1679; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_constraints access"; flow:to_server,established;
content:"all_constraints"; nocase; metadata:ruleset community;

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_views access"; flow:to_server,established;
content:"all_views"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_source access"; flow:to_server,established;
content:"all_source"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_tables access"; flow:to_server,established;
content:"all_tables"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_tab_columns access"; flow:to_server,established;
content:"all_tab_columns"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE all_tab_privs access"; flow:to_server,established;
content:"all_tab_privs"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dba_tablespace access"; flow:to_server,established;
content:"dba_tablespace"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dba_tables access"; flow:to_server,established;
content:"dba_tables"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE user_tablespace access"; flow:to_server,established;
content:"user_tablespace"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.all_users access"; flow:to_server,established;
content:"sys.all_users"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE grant attempt"; flow:to_server,established; content:"grant ";
nocase; content:" to "; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE ALTER USER attempt"; flow:to_server,established; content:"alter
user"; nocase; content:" identified by "; nocase; metadata:ruleset
community; classtype:protocol-command-decode; sid:1691; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE drop table attempt"; flow:to_server,established; content:"drop
table"; nocase; metadata:ruleset community; classtype:protocol-commanddecode; sid:1692; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE create table attempt"; flow:to_server,established; content:"create
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter table attempt"; flow:to_server,established; content:"alter
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE truncate table attempt"; flow:to_server,established;
content:"truncate table"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE create database attempt"; flow:to_server,established;
content:"create database"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter database attempt"; flow:to_server,established;
content:"alter database"; nocase; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP imagemap.exe access"; flow:to_server,established;
content:"/imagemap.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar-admin.pl access"; flow:to_server,established;
content:"/calendar-admin.pl"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Amaya templates sendtemp.pl access"; flow:to_server,established;
content:"/sendtemp.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP auktion.cgi directory traversal attempt";
flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase;
http_uri; content:"menue=../../"; nocase; metadata:ruleset community,
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cal_make.pl directory traversal attempt";
flow:to_server,established; content:"/cal_make.pl"; nocase; http_uri;
content:"p0=../../"; fast_pattern:only; metadata:ruleset community,
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP echo.bat arbitrary command execution attempt";
flow:to_server,established; content:"/echo.bat"; http_uri; content:"&";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP echo.bat access"; flow:to_server,established; content:"/echo.bat";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP hello.bat arbitrary command execution attempt";
flow:to_server,established; content:"/hello.bat"; http_uri; content:"&";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP hello.bat access"; flow:to_server,established;
content:"/hello.bat"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ad.cgi access"; flow:to_server,established; content:"/ad.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bbs_forum.cgi access"; flow:to_server,established;
content:"/bbs_forum.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:webapplication-activity; sid:1710; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bsguest.cgi access"; flow:to_server,established;
content:"/bsguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bslist.cgi access"; flow:to_server,established;
content:"/bslist.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgforum.cgi access"; flow:to_server,established;
content:"/cgforum.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newdesk access"; flow:to_server,established; content:"/newdesk";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP register.cgi access"; flow:to_server,established;
content:"/register.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP gbook.cgi access"; flow:to_server,established;
content:"/gbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP simplestguest.cgi access"; flow:to_server,established;
content:"/simplestguest.cgi"; fast_pattern:only; http_uri;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP statsconfig.pl access"; flow:to_server,established;
content:"/statsconfig.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP talkback.cgi directory traversal attempt";
flow:to_server,established; content:"/talkbalk.cgi"; nocase; http_uri;
content:"article=../../"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP talkback.cgi access"; flow:to_server,established;
content:"/talkbalk.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP adcycle access"; flow:to_server,established; content:"/adcycle";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP MachineInfo access"; flow:to_server,established;
content:"/MachineInfo"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:cve,1999-1067; classtype:webapplication-activity; sid:1722; rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP emumail.cgi NULL attempt"; flow:to_server,established;
content:"/emumail.cgi"; http_uri; content:"type="; nocase; content:"%00";
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP emumail.cgi access"; flow:to_server,established;
content:"/emumail.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS +.htr code fragment attempt"; flow:to_server,established;
content:" .htr"; nocase; http_uri; metadata:ruleset community, service
reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS doctodep.btr access"; flow:to_server,established;
content:"doctodep.btr"; http_uri; metadata:ruleset community, service
http; classtype:web-application-activity; sid:1726; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SGI InfoSearch fname access"; flow:to_server,established;
content:"/infosrch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
IRC channel join"; flow:to_server,established; dsize:<140; content:"JOIN
"; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policyviolation; sid:1729; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ustorekeeper.pl directory traversal attempt";
flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri;
content:"file=../../"; fast_pattern:only; metadata:ruleset community,
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP a1stats access"; flow:to_server,established; content:"/a1stats/";
rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER
overflow attempt"; flow:to_server,established; content:"USER"; nocase;
isdataat:100,relative; pcre:"/ÛSER(?!\n)\s[^\n]{100}/smi";
reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,19991539; reference:cve,2000-0479; reference:cve,2000-0656;

# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSEROTHER Mozilla Netscape XMLHttpRequest local file read attempt";
flow:to_client,established; file_data; content:"new XMLHttpRequest|28|";
content:"file|3A|//"; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP squirrel mail spell-check arbitrary command attempt";
content:"/squirrelspell/modules/check_me.mod.php"; fast_pattern; nocase;
http_uri; content:"SQSPELL_APP["; nocase; metadata:ruleset community,
sid:1736; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP squirrel mail theme arbitrary command attempt";
flow:to_server,established; content:"/left_main.php"; nocase; http_uri;
content:"cmdd="; fast_pattern:only; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP global.inc access"; flow:to_server,established;
content:"/global.inc"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DNSTools administrator authentication bypass attempt";
flow:to_server,established; content:"/dnstools.php"; nocase; http_uri;
content:"user_logged_in=true"; nocase; http_uri;
content:"user_dnstools_administrator=true"; fast_pattern:only; http_uri;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DNSTools authentication bypass attempt";
flow:to_server,established; content:"/dnstools.php"; fast_pattern;
nocase; http_uri; content:"user_logged_in=true"; http_uri;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DNSTools access"; flow:to_server,established;
content:"/dnstools.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Blahz-DNS dostuff.php modify user attempt";
flow:to_server,established; content:"/dostuff.php?"; nocase; http_uri;
content:"action=modify_user"; distance:0; nocase; http_uri;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established;
content:"/dostuff.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SecureSite authentication bypass attempt";
flow:to_server,established; content:"secure_site, ok"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Messagerie supp_membre.php access"; flow:to_server,established;
content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset
cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
cachefsd request TCP"; flow:to_server,established; content:"|00 01 86
01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS users.xml access"; flow:to_server,established; content:"/users.xml";
cachefsd buffer overflow attempt"; flow:to_server,established;
isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|";
sid:1751; rev:12;)
# alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"POLICY-SOCIAL AIM
AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|
AddExternalApp?"; fast_pattern:only; metadata:ruleset community;
reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack;
sid:1752; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS as_web.exe access"; flow:to_server,established;
content:"/as_web.exe"; nocase; http_uri; metadata:ruleset community,
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS as_web4.exe access"; flow:to_server,established;
content:"/as_web4.exe"; nocase; http_uri; metadata:ruleset community,

rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP
partial body buffer overflow attempt"; flow:to_server,established;
content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase;
isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/smi";
metadata:ruleset community, service imap; reference:bugtraq,4713;
sid:1755; rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS NewsPro administration authentication attempt";
flow:to_server,established; content:"logged,true"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP b2 arbitrary command execution attempt";
flow:to_server,established; content:"/b2/b2-include/"; http_uri;
content:"b2inc"; content:"http|3A|//"; metadata:ruleset community,
program execution 445"; flow:to_server,established; content:"x|00|p|00|_|
00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phf arbitrary command execution attempt";
flow:to_server,established; content:"/phf"; fast_pattern; nocase;
http_uri; content:"QALIAS"; nocase; content:"%0a"; nocase;
rev:24;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established;
content:"/cgiproc?Nocfile="; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established;
content:"/cgiproc?|24|"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Nortel Contivity cgiproc access"; flow:to_server,established;
content:"/cgiproc"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.dll directory listing attempt"; flow:to_server,established;
content:"/search.dll"; http_uri; content:"query=%00"; metadata:ruleset
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP search.dll access"; flow:to_server,established;
content:"/search.dll"; http_uri; metadata:ruleset community, service
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .DS_Store access"; flow:to_server,established;
content:"/.DS_Store"; http_uri; metadata:ruleset community, service http;
reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:webapplication-activity; sid:1769; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP .FBCIndex access"; flow:to_server,established;
content:"/.FBCIndex"; http_uri; metadata:ruleset community, service http;
reference:url,www.securiteam.com/securitynews/5LP0O005FS.html;
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec
PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00
00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C
00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80
01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00
01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04
00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|";
fast_pattern:only; metadata:ruleset community; classtype:protocolcommand-decode; sid:1771; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS pbserver access"; flow:to_server,established;
content:"/pbserver/pbserver.dll"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP php.exe access"; flow:to_server,established; content:"/php.exe";
reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bb_smilies.php access"; flow:to_server,established;
content:"/bb_smilies.php"; fast_pattern:only; http_uri; metadata:ruleset
community, service http;
reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PH
P-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL
root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85
04 00 00 80|root|00|"; fast_pattern:only; metadata:ruleset community,
service mysql; classtype:protocol-command-decode; sid:1775; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL

show databases attempt"; flow:to_server,established; content:"|0F 00 00
00 03|show databases"; fast_pattern:only; metadata:ruleset community,
service mysql; classtype:protocol-command-decode; sid:1776; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT
STAT asterisk dos attempt"; flow:to_server,established; content:"STAT";
fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073;
reference:nessus,10934; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777;
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT
STAT ? dos attempt"; flow:to_server,established; content:"STAT";
fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:ruleset
reference:nessus,10934; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-018; classtype:attempted-dos; sid:1778;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csPassword.cgi access"; flow:to_server,established;
content:"/csPassword.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP csPassword password.cgi.tmp access"; flow:to_server,established;
content:"/password.cgi.tmp"; fast_pattern:only; http_uri;
rev:11;)
IRC dns request"; flow:to_server,established; content:"USERHOST ";
rev:12;)
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"POLICY-SOCIAL
IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0;
content:" 302 "; content:"=+"; fast_pattern:only; metadata:ruleset
community; classtype:policy-violation; sid:1790; rev:10;)
# alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP return
code buffer overflow attempt"; flow:to_client,established; content:"200";
isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .asa HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP/"; nocase; content:".asa";
fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|";
content:"|00|"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cer HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP/"; nocase; content:".cer";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cdx HTTP header buffer overflow attempt";
flow:to_server,established; content:"HTTP/"; nocase; content:".cdx";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle Reports CGI access"; flow:to_server,established;
content:"/rwcgi60"; fast_pattern:only; http_uri; content:"setauth=";
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .htr chunked Transfer-Encoding"; flow:to_server,established;
content:".htr"; nocase; http_uri; content:"Transfer-Encoding|3A|";
nocase; http_header; content:"chunked"; nocase; http_header;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICYOTHER Chunked-Encoding transfer attempt"; flow:to_server,established;
content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked";
fast_pattern:only; http_header; metadata:ruleset community, service http;
reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,20020392; reference:nessus,10932; classtype:policy-violation; sid:1807;
rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP apache chunked encoding memory corruption exploit attempt";
flow:to_server,established; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD
80|"; fast_pattern:only; http_header; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established;
content:"X-CCCCCCC|3A 20|"; fast_pattern:only; http_header;
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER
successful gobbles ssh exploit GOBBLE"; flow:to_client,established;
content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093;
reference:cve,2002-0390; reference:cve,2002-0640; classtype:successfuladmin; sid:1810; rev:19;)

successful gobbles ssh exploit uname"; flow:to_client,established;
content:"uname"; metadata:ruleset community; reference:bugtraq,5093;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER gobbles
SSH exploit attempt"; flow:to_server,established; content:"GOBBLES";
metadata:ruleset community; reference:bugtraq,5093; reference:cve,20020639; reference:nessus,11031; classtype:misc-attack; sid:1812; rev:13;)
digital island bandwidth query"; content:"mailto|3A|ops@digisle.com";
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CISCO VoIP DOS ATTEMPT"; flow:to_server,established;
content:"/StreamingStatistics"; http_uri; metadata:ruleset community,
reference:nessus,11013; classtype:misc-attack; sid:1814; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP directory.php arbitrary command attempt";
flow:to_server,established; content:"/directory.php"; http_uri;
content:"dir="; content:"|3B|"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP directory.php access"; flow:to_server,established;
content:"/directory.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MS Site Server default login attempt"; flow:to_server,established;
content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri;
pcre:"/Âuthorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkX
zE=/smi"; metadata:ruleset community, service http;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MS Site Server admin attempt"; flow:to_server,established;
content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri;
Alcatel PABX 4400 connection attempt"; flow:to_server,established;
content:"|00 01|C"; depth:3; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IBM Net.Commerce orderdspc.d2w access";
content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPD
dvips remote command execution attempt"; flow:to_server,established;
content:"psfile=|22|`"; metadata:ruleset community;

classtype:system-call-detect; sid:1821; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AlienForm alienform.cgi directory traversal attempt";
flow:to_server,established; content:"/alienform.cgi"; http_uri;
content:".|7C|./.|7C|."; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AlienForm af.cgi directory traversal attempt";
flow:to_server,established; content:"/af.cgi"; http_uri; content:".|
7C|./.|7C|."; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AlienForm alienform.cgi access"; flow:to_server,established;
content:"/alienform.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP AlienForm af.cgi access"; flow:to_server,established;
content:"/af.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WEB-INF access"; flow:to_server,established; content:"/WEB-INF";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat servlet mapping cross site scripting attempt";
flow:to_server,established; content:"/servlet/"; http_uri;
content:"/org.apache."; http_uri; metadata:ruleset community, service
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP iPlanet Search directory traversal attempt";
flow:to_server,established; content:"/search"; http_uri; content:"NSquery-pat="; content:"../../"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat TroubleShooter servlet access";
flow:to_server,established; content:"/examples/servlet/TroubleShooter";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat SnoopServlet servlet access";
flow:to_server,established; content:"/examples/servlet/SnoopServlet";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP jigsaw dos attempt"; flow:to_server,established;
content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:ruleset
rev:12;)
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ
forced user addition"; flow:established,to_client; content:"Content-Type|
3A| application/x-icq"; fast_pattern:only; content:"[ICQ User]";
metadata:ruleset community; reference:bugtraq,3226; reference:cve,20011305; classtype:policy-violation; sid:1832; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHP-Wiki cross site scripting attempt";
flow:to_server,established; content:"/modules.php?"; http_uri;
content:"name=Wiki"; fast_pattern; nocase; http_uri; content:"<script";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Macromedia SiteSpring cross site scripting attempt";
flow:to_server,established; content:"/error/500error.jsp"; nocase;
http_uri; content:"et="; http_uri; content:"<script"; fast_pattern:only;
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH
server banner overflow"; flow:to_client,established; content:"SSH-";
nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailman cross site scripting attempt"; flow:to_server,established;
content:"/mailman/"; nocase; http_uri; content:"?"; http_uri;
content:"info="; http_uri; content:"<script"; fast_pattern:only;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA
Oracle Javascript document.domain attempt"; flow:to_client,established;
file_data; content:"document.domain|28|"; nocase; metadata:ruleset
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSERFIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt";
flow:to_client,established; file_data; content:"javascript|3A|//";
fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset
reference:url,osvdb.org/show/osvdb/60255; classtype:attempted-user;
sid:1841; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login

buffer overflow attempt"; flow:established,to_server; content:"LOGIN";
nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i";
trinity connection attempt"; flow:to_server,established; content:"!@|
23|"; depth:3; metadata:ruleset community; reference:cve,2000-0138;
authenticate overflow attempt"; flow:established,to_server;
content:"AUTHENTICATE"; nocase; isdataat:100,relative;
pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset community,
service imap; reference:bugtraq,12995; reference:bugtraq,130;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list
literal overflow attempt"; flow:established,to_server; content:"LIST";
fast_pattern:only; pcre:"/\sLIST\s[^\n]*?\s\{/smi";
byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community,
service imap; reference:bugtraq,1110; reference:cve,2000-0284;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICYMULTIMEDIA vncviewer Java applet download attempt";
flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset
community; reference:nessus,10758; classtype:misc-activity; sid:1846;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webalizer access"; flow:to_server,established;
content:"/webalizer/"; fast_pattern:only; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webcart-lite access"; flow:to_server,established;
content:"/webcart-lite/"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webfind.exe access"; flow:to_server,established;
content:"/webfind.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP way-board.cgi access"; flow:to_server,established; content:"/wayboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community,
sid:1850; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP active.log access"; flow:to_server,established;
content:"/active.log"; fast_pattern:only; http_uri; metadata:ruleset
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP robots.txt access"; flow:to_server,established;
content:"/robots.txt"; fast_pattern:only; http_uri; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR
win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44";
depth:14; metadata:ruleset community; reference:cve,2000-0138;
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP
Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0;
content:"niggahbitch"; metadata:ruleset community; reference:cve,20000138;
reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis;
Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0;
content:"skillz"; metadata:ruleset community; reference:cve,2000-0138;
Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0;
content:"ficken"; metadata:ruleset community; reference:cve,2000-0138;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP robot.txt access"; flow:to_server,established;
content:"/robot.txt"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CISCO PIX Firewall Manager directory traversal attempt";
flow:to_server,established; content:"/pixfir~1/how_to_login.html";
Oracle JavaServer default password login attempt";
flow:to_server,established; content:"/servlet/admin";
content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community;
reference:nessus,10995; classtype:default-login-attempt; sid:1859;
rev:12;)
Linksys router default password login attempt";
flow:to_server,established; content:"Authorization|3A|"; nocase;
http_header;
pcre:"/Âuthorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH";

classtype:default-login-attempt; sid:1860; rev:14;)
Linksys router default username and password login attempt";
flow:to_server,established; content:"YWRtaW46YWRtaW4";
pcre:"/Âuthorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi";
metadata:ruleset community; reference:nessus,10999; classtype:defaultlogin-attempt; sid:1861; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mrtg.cgi directory traversal attempt"; flow:to_server,established;
content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:ruleset
rev:14;)
NEWER attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webdist.cgi arbitrary command attempt";
flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri;
content:"distloc=|3B|"; fast_pattern:only; metadata:ruleset community,
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER
overflow attempt"; flow:to_server,established; content:"USER";
isdataat:50,relative; pcre:"/ÛSER\s[^\n]{50}/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,11256;
reference:cve,2002-1781; reference:cve,2006-2502; reference:cve,20064364; reference:nessus,10311; reference:url,www.delegate.org/maillists/delegate-en/1475; classtype:attempted-admin; sid:1866; rev:24;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp info
query"; flow:to_server; content:"|00 01 00 02 00 01 00|";
fast_pattern:only; metadata:ruleset community; reference:nessus,10891;
Interactive Story story.pl arbitrary file read attempt";
flow:to_server,established; content:"/story.pl"; http_uri;
content:"next=../"; metadata:ruleset community, service http;
Interactive Story story.pl access"; flow:to_server,established;
content:"/story.pl"; fast_pattern:only; http_uri; metadata:ruleset
reference:nessus,10817; classtype:default-login-attempt; sid:1869;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP siteUserMod.cgi access"; flow:to_server,established;
content:"/.cobalt/siteUserMod/siteUserMod.cgi"; fast_pattern:only;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established;
content:"/XSQLConfig.xml"; http_uri; metadata:ruleset community, service
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle Dynamic Monitoring Services dms access";
flow:to_server,established; content:"/dms0"; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP globals.jsa access"; flow:to_server,established;
content:"/globals.jsa"; http_uri; metadata:ruleset community, service
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle Java Process Manager access"; flow:to_server,established;
content:"/oprocmgr-status"; http_uri; metadata:ruleset community, service
http; reference:nessus,10851; classtype:web-application-activity;
sid:1874; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgicso access"; flow:to_server,established; content:"/cgicso";
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nph-publish.cgi access"; flow:to_server,established;
content:"/nph-publish.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP printenv access"; flow:to_server,established; content:"/printenv";
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sdbsearch.cgi access"; flow:to_server,established;
content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP book.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/book.cgi"; fast_pattern:only;
http_uri; content:"current=|7C|"; nocase; metadata:ruleset community,
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP oracle web application server access"; flow:to_server,established;
content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:ruleset
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bad HTTP/1.1 request, Potentially worm attack";
flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|";
depth:18; metadata:ruleset community, service http;
reference:url,securityresponse.symantec.com/avcenter/security/Content/200
2.09.13.html; classtype:web-application-activity; sid:1881; rev:12;)
# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
id check returned userid"; content:"uid="; nocase; content:" gid=";
distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:ruleset
community; classtype:bad-unknown; sid:1882; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL
Worm traffic"; flow:to_server,established; content:"TERM=xterm";
fast_pattern:only; metadata:ruleset community, service ssl;
reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:webapplication-attack; sid:1887; rev:9;)
CPWD overflow attempt"; flow:established,to_server; content:"SITE";
nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service
ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:miscattack; sid:1888; rev:14;)
# alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC
slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|";
depth:10; metadata:ruleset community;
reference:url,isc.incidents.org/analysis.html?id=167;
reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojanactivity; sid:1889; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
status GHBN format string attack"; flow:to_server; content:"|00 01 86
B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4;
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x
%x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
status GHBN format string attack"; flow:to_server,established; content:"|
00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4;
content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8;
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null
community string attempt"; content:"|04 01 00|"; depth:15; offset:5;
reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack;
sid:1892; rev:13;)
missing community string attempt"; content:"0"; depth:1; content:"|02|";
within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|

[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/";
reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE
kadmind buffer overflow attempt"; flow:to_server,established; content:"|
00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,5731;
reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073;
00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only;
reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect;
sid:1895; rev:13;)
FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community;
reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073;
FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community;
kadmind buffer overflow attempt"; flow:to_server,established;
content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731;
sid:1898; rev:12;)
kadmind buffer overflow attempt"; flow:to_server,established;
content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731;
sid:1899; rev:12;)
successful kadmind buffer overflow attempt"; flow:to_client,established;
content:"*GOBBLE*"; depth:8; metadata:ruleset community;
successful kadmind buffer overflow attempt"; flow:to_client,established;
content:"*GOBBLE*"; depth:8; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub

literal overflow attempt"; flow:to_server,established; content:"LSUB";
fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename
overflow attempt"; flow:established,to_server; content:"RENAME"; nocase;
isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,1110; reference:cve,2000-0284;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find
overflow attempt"; flow:established,to_server; content:"FIND"; nocase;
isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD
UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04
93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4;
byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; reference:bugtraq,614; reference:cve,19990704; classtype:misc-attack; sid:1905; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD
TCP amqproc_mount plog overflow attempt"; flow:to_server,established;
content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|";
within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00
sid:1906; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD
UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01
86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4;
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD
TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established;
content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|";
TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established;
byte_jump:4,4,relative,align; byte_jump:4,0,relative,align;
reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08cmsd.html; classtype:misc-attack; sid:1909; rev:17;)

udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01
86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4;
byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|
00 00 00 00|"; depth:4; offset:4; metadata:ruleset community;
reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08cmsd.html; classtype:misc-attack; sid:1910; rev:16;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind
UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server;
content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind
TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt";
flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16;
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD
UDP stat mon_name format string exploit attempt"; flow:to_server;
content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD
TCP stat mon_name format string exploit attempt";
flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16;
rev:18;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD
UDP monitor mon_name format string exploit attempt"; flow:to_server;
content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD

TCP monitor mon_name format string exploit attempt";
flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16;
rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP
service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9;
content:"ssdp|3A|discover"; fast_pattern:only; metadata:ruleset
community; classtype:network-scan; sid:1917; rev:14;)
SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net";
fast_pattern:only; metadata:ruleset community; classtype:network-scan;
sid:1918; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD
overflow attempt"; flow:to_server,established; content:"CWD"; nocase;
isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi";
NEWER overflow attempt"; flow:to_server,established; content:"SITE";
nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative;
pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community,
ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE";
nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative;
pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community,
service ftp; reference:cve,2000-0040; classtype:attempted-admin;
sid:1921; rev:11;)
proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|";
proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd
UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4;
00 00|"; depth:4; offset:4; metadata:ruleset community;

TCP exportall request"; flow:to_server,established; content:"|00 01 86
UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4;
authorized_keys"; flow:to_server,established; content:"authorized_keys";
classtype:suspicious-filename-detect; sid:1927; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow
retrieval attempt"; flow:to_server,established; content:"RETR"; nocase;
content:"shadow"; pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset
community, service ftp; classtype:suspicious-filename-detect; sid:1928;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth
literal overflow attempt"; flow:established,to_server; content:"AUTH";
fast_pattern:only; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?
=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset
community, service imap; reference:bugtraq,21724; reference:cve,19990005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rpc-nlog.pl access"; flow:to_server,established; content:"/rpcnlog.pl"; fast_pattern:only; http_uri; metadata:ruleset community,
service http; reference:cve,1999-1278;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rpc-smb.pl access"; flow:to_server,established; content:"/rpcsmb.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; reference:cve,1999-1278; classtype:web-application-activity;
sid:1932; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cart.cgi access"; flow:to_server,established; content:"/cart.cgi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH
overflow attempt"; flow:to_server,established; content:"AUTH"; nocase;
isdataat:50,relative; pcre:"/ÂUTH\s[^\n]{50}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST
overflow attempt"; flow:to_server,established; content:"LIST"; nocase;
isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND
overflow attempt"; flow:to_server,established; content:"XTND"; nocase;
isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset

community, service pop3; classtype:attempted-admin; sid:1938; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp
hardware address length overflow"; flow:to_server; content:"|01|";
depth:1; byte_test:1,>,6,2; metadata:ruleset community;
invalid hardware type"; flow:to_server; content:"|01|"; depth:1;
byte_test:1,>,7,1; metadata:ruleset community; reference:cve,1999-0798;
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow
attempt"; flow:to_server; content:"|00 01|"; depth:2;
isdataat:100,relative; content:!"|00|"; within:100; metadata:ruleset
community, service tftp; reference:bugtraq,20131;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR
overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase;
isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /Carello/add.exe access"; flow:to_server,established;
content:"/Carello/add.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /ecscripts/ecware.exe access"; flow:to_server,established;
content:"/ecscripts/ecware.exe"; fast_pattern:only; http_uri;
answerbook2 admin attempt"; flow:to_server,established; content:"/cgibin/admin/admin"; metadata:ruleset community; reference:bugtraq,5383;
rev:10;)
answerbook2 arbitrary command execution attempt";
flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1;
metadata:ruleset community; reference:bugtraq,1556; reference:cve,20000697; classtype:web-application-attack; sid:1947; rev:14;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone
transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00
00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00
01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community,
service dns; reference:cve,1999-0532; reference:nessus,10595;
SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86

SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|";
UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4;
TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|";
UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4;
00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpcportmap-decode; sid:1954; rev:11;)
TCP version request"; flow:to_server,established; content:"|00 04 93
F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4;
UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4;
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind
UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00
00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4;
reference:cve,1999-0977; reference:nessus,10229; classtype:protocolcommand-decode; sid:1957; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind
TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4;
NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|
00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align;
byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4;

NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sid:1960; rev:13;)
RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12;
01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:1961; rev:13;)
RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
sid:1962; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA
getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4;
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC
tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|";
tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00
01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4;
metadata:ruleset community; reference:bugtraq,122; reference:cve,19990003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965;
rev:17;)
# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER
GlobalSunTech Access Point Information Disclosure attempt";
flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phpbb quick-reply.php arbitrary command attempt";
flow:to_server,established; content:"/quick-reply.php"; http_uri;
content:"phpbb_root_path="; metadata:ruleset community, service http;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phpbb quick-reply.php access"; flow:to_server,established;
content:"/quick-reply.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ion-p access"; flow:to_server,established; content:"/ion-p";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MDAC Content-Type overflow attempt"; flow:to_server,established;
content:"/msadcs.dll"; nocase; http_uri; content:"Content-Type|3A|";
nocase; isdataat:50,relative; content:!"|0A|"; within:50;
pcre:"/^POST\s/smi"; metadata:ruleset community, service http;
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?
id=337; classtype:web-application-attack; sid:1970; rev:22;)
EXEC format string attempt"; flow:to_server,established; content:"SITE";
nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%
[^\n]*?%/smi"; metadata:ruleset community, service ftp;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS
overflow attempt"; flow:to_server,established; content:"PASS"; nocase;
isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD
overflow attempt"; flow:to_server,established; content:"MKD"; nocase;
isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/smi";
reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,20093023; reference:cve,2010-0625; reference:nessus,12108;
reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin;
sid:1973; rev:30;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST
overflow attempt"; flow:to_server,established; content:"REST"; nocase;
isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi";

# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP DELE
overflow attempt"; flow:to_server,established; content:"DELE"; nocase;
isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/mi";
metadata:policy security-ips drop, ruleset community, service ftp;
reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,20053683; reference:cve,2010-4228; reference:nessus,11755;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMD
overflow attempt"; flow:to_server,established; content:"RMD"; nocase;
isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi";
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP xp_regwrite attempt"; flow:to_server,established;
content:"xp_regwrite"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP xp_regdeletekey attempt"; flow:to_server,established;
content:"xp_regdeletekey"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP perl post attempt"; flow:to_server,established; content:"POST";
depth:4; content:"/perl/"; http_uri; metadata:ruleset community, service
rev:11;)
DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2;
metadata:ruleset community; reference:mcafee,98574;
DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server;
content:"00"; depth:2; metadata:ruleset community;
reference:mcafee,98574; reference:nessus,10053; classtype:trojanactivity; sid:1981; rev:11;)
DeepThroat 3.1 Server Response on port 3150"; flow:to_client;
content:"Ahhhh My Mouth Is Open"; metadata:ruleset community;
DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server;
content:"00"; depth:2; metadata:ruleset community;
DeepThroat 3.1 Server Response on port 4120"; flow:to_client;
content:"Ahhhh My Mouth Is Open"; metadata:ruleset community;

Doly 1.5 server response"; flow:to_client,established;
content:"Connected."; metadata:ruleset community; classtype:trojanactivity; sid:1985; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL
Microsoft MSN outbound file transfer request"; flow:established;
content:"MSG "; depth:4; content:"Content-Type|3A| application/xmsnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs
overflow attempt"; flow:to_server,established; isdataat:512; content:"B|
00 02|"; depth:3; metadata:ruleset community; reference:bugtraq,6241;
reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity;
sid:1987; rev:11;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL
Microsoft MSN outbound file transfer accept"; flow:established;
content:"MSG "; depth:4; content:"Content-Type|3A| application/xmsnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0;
nocase; metadata:ruleset community; classtype:policy-violation; sid:1988;
rev:11;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL
Microsoft MSN outbound file transfer rejected"; flow:established;
content:"MSG "; depth:4; content:"Content-Type|3A| application/xmsnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline";
distance:0; nocase; metadata:ruleset community; classtype:policyviolation; sid:1989; rev:12;)
Microsoft MSN user search"; flow:to_server,established; content:"CAL ";
depth:4; nocase; metadata:ruleset community; classtype:policy-violation;
sid:1990; rev:7;)
Microsoft MSN login attempt"; flow:to_server,established; content:"USR ";
depth:4; nocase; content:" TWN "; distance:1; nocase; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST
directory traversal attempt"; flow:to_server,established; content:"LIST";
nocase; content:".."; distance:1; content:".."; distance:1;
literal buffer overflow attempt"; flow:established,to_server;
pcre:"/\sLOGIN\s[^\n]*?\{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]
{4})/smi"; content:"LOGIN"; fast_pattern:only; metadata:ruleset
community, service imap; reference:bugtraq,14718;
reference:cve,2002-1580; reference:cve,2005-1758; reference:cve,20066424; reference:cve,2007-0221; reference:nessus,12532; classtype:miscattack; sid:1993; rev:23;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP vpasswd.cgi access"; flow:to_server,established;
content:"/vpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alya.cgi access"; flow:to_server,established; content:"/alya.cgi";
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP viralator.cgi access"; flow:to_server,established;
content:"/viralator.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP read_body.php access attempt"; flow:to_server,established;
content:"/read_body.php"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP calendar.php access"; flow:to_server,established;
content:"/calendar.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP edit_image.php access"; flow:to_server,established;
content:"/edit_image.php"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP readmsg.php access"; flow:to_server,established;
content:"/readmsg.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP smartsearch.cgi access"; flow:to_server,established;
content:"/smartsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP remote include path attempt"; flow:to_server,established;
content:".php"; nocase; http_uri; content:"path="; fast_pattern:only;
http_uri; pcre:"/path=(https?|ftps?|php)/Ui"; metadata:ruleset community,
service http;
reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability;
reference:url,php.net/manual/en/function.include.php; classtype:webapplication-attack; sid:2002; rev:17;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm
propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|
81 F1 03 01 04 9B 81 F1 01|"; fast_pattern:only; content:"sock";
content:"send"; metadata:ruleset community; reference:bugtraq,5310;

reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack;
sid:2003; rev:15;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm
propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1;
content:"|81 F1 03 01 04 9B 81 F1|"; fast_pattern:only; content:"sock";
content:"send"; metadata:ruleset community; reference:bugtraq,5310;
reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack;
sid:2004; rev:14;)
kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|";
01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
kcms_server request TCP"; flow:to_server,established; content:"|00 01 86
01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC
kcms_server directory traversal attempt"; flow:to_server,established;
content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align;
byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00
reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack;
sid:2007; rev:16;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS invalid user authentication response";
flow:to_client,established; content:"E Fatal error, aborting.";
fast_pattern:only; content:"|3A| no such user"; metadata:ruleset
community; classtype:misc-attack; sid:2008; rev:9;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS invalid repository response"; flow:to_client,established;
content:"error "; content:"|3A| no such repository"; content:"I HATE
YOU"; fast_pattern:only; metadata:ruleset community; classtype:miscattack; sid:2009; rev:7;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS double free exploit attempt response";
flow:to_client,established; content:"free|28 29 3A| warning|3A| chunk is
already free"; fast_pattern:only; metadata:ruleset community;
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS invalid directory response"; flow:to_client,established;
content:"E protocol error|3A| invalid directory syntax in";

sid:2011; rev:12;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS missing cvsroot response"; flow:to_client,established;
content:"E protocol error|3A| Root request missing"; fast_pattern:only;
metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS invalid module response"; flow:to_client,established;
content:"cvs server|3A| cannot find module"; fast_pattern:only;
content:"error"; metadata:ruleset community; classtype:misc-attack;
sid:2013; rev:8;)
UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86
service sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode;
sid:2014; rev:11;)
UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
status request TCP"; flow:to_server,established; content:"|00 01 86 A0|";
sid:2016; rev:13;)
espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|";
UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4;
TCP unmount request"; flow:to_server,established; content:"|00 01 86
UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4;

TCP unmountall request"; flow:to_server,established; content:"|00 01 86
UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|";
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA
getquota overflow attempt TCP"; flow:to_server,established; content:"|00
01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4;
yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01
yppasswd username overflow attempt TCP"; flow:to_server,established;
content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|";
metadata:ruleset community; reference:bugtraq,2763; reference:cve,20010779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026;
rev:15;)
yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00
01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4;
metadata:ruleset community; reference:bugtraq,2763; reference:cve,20010779; classtype:rpc-portmap-decode; sid:2027; rev:12;)
yppasswd old password overflow attempt TCP"; flow:to_server,established;
yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00
01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4;

metadata:ruleset community; reference:bugtraq,2763; reference:cve,20010779; classtype:rpc-portmap-decode; sid:2029; rev:12;)
yppasswd new password overflow attempt TCP"; flow:to_server,established;
yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|";
yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv
maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4;
offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00
reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv
maplist request TCP"; flow:to_server,established; content:"|00 01 86
A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4;
network-status-monitor request UDP"; flow:to_server; content:"|00 01 86
03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:2035; rev:13;)
network-status-monitor request TCP"; flow:to_server,established;
byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|
00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service
sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)

network-status-monitor mon-callback request UDP"; flow:to_server;
content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|";
within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
metadata:ruleset community; classtype:rpc-portmap-decode; sid:2037;
rev:11;)
network-status-monitor mon-callback request TCP";
flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16;
content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|";
depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmapdecode; sid:2038; rev:10;)
hostname format string attempt"; flow:to_server; content:"|01|"; depth:1;
content:"|0C|"; distance:240; content:"%"; distance:0; content:"%";
within:8; distance:1; content:"%"; within:8; distance:1; metadata:ruleset
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs
login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|
00|"; distance:4; metadata:ruleset community; classtype:misc-activity;
sid:2040; rev:7;)
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN
xtacacs failed login response"; flow:to_client; content:"|80 02|";
depth:2; content:"|02|"; distance:4; metadata:ruleset community;
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs
accepted login response"; flow:to_client; content:"|80 02|"; depth:2;
content:"|01|"; distance:4; metadata:ruleset community; classtype:miscactivity; sid:2042; rev:7;)
# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN
isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00
00 00 01 01 00 00 18|"; within:8; distance:13; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP
Start Control Request attempt"; flow:to_server,established,no_stream;
content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2;
offset:8; metadata:ruleset community; classtype:attempted-admin;
sid:2044; rev:8;)
snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|";
partial body.peek buffer overflow attempt"; flow:to_server,established;
content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase;
pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd

module list access"; flow:to_server,established; content:"|23|list";
rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt";
flow:to_server; content:"|02|"; depth:1; metadata:ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL
version overflow attempt"; flow:to_server; dsize:>100; content:"|04|";
depth:1; metadata:ruleset community; reference:bugtraq,5310;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cached_feed.cgi moreover shopping cart access";
flow:to_server,established; content:"/cached_feed.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP overflow.cgi access"; flow:to_server,established;
content:"/overflow.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:nessus,11190; reference:url,www.cert.org/advisories/CA-200235.html; classtype:web-application-activity; sid:2052; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Bugtraq process_bug.cgi access"; flow:to_server,established;
content:"/process_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Bugtraq enter_bug.cgi arbitrary command attempt";
flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern;
nocase; http_uri; content:"who="; content:"|3B|"; distance:0;
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Bugtraq enter_bug.cgi access"; flow:to_server,established;
content:"/enter_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP TRACE attempt"; flow:to_server,established; content:"TRACE";
depth:5; metadata:policy security-ips drop, ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP helpout.exe access"; flow:to_server,established;
content:"/helpout.exe"; http_uri; metadata:ruleset community, service
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP MsmMask.exe attempt"; flow:to_server,established;
content:"/MsmMask.exe"; http_uri; content:"mask="; metadata:ruleset
community, service http; reference:nessus,11163; classtype:webapplication-attack; sid:2058; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP MsmMask.exe access"; flow:to_server,established;
content:"/MsmMask.exe"; http_uri; metadata:ruleset community, service
sid:2059; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP DB4Web access"; flow:to_server,established; content:"/DB4Web/";
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERAPACHE Apache Tomcat null byte directory listing attempt";
flow:to_server,established; content:"|00|.jsp"; http_uri;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP iPlanet .perf access"; flow:to_server,established;
content:"/.perf"; http_uri; metadata:ruleset community, service http;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Demarc SQL injection attempt"; flow:to_server,established;
content:"/dm/demarc"; http_uri; content:"s_key="; content:"'";
distance:0; content:"'"; distance:1; content:"'"; distance:0;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .csp script source download attempt";
flow:to_server,established; content:".csp."; http_uri; metadata:ruleset
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .pl script source download attempt";
flow:to_server,established; content:".pl"; http_uri; content:".pl";
content:"."; within:1; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Lotus Notes .exe script source download attempt";
flow:to_server,established; content:".exe"; http_uri; content:".exe";
content:"."; within:1; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP BitKeeper arbitrary command attempt"; flow:to_server,established;
content:"/diffs/"; http_uri; content:"'"; content:"|3B|"; distance:0;
content:"'"; distance:1; metadata:ruleset community, service http;

rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP chip.ini access"; flow:to_server,established; content:"/chip.ini";
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP post32.exe arbitrary command attempt"; flow:to_server,established;
content:"/post32.exe|7C|"; http_uri; metadata:ruleset community, service
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP post32.exe access"; flow:to_server,established;
content:"/post32.exe"; http_uri; metadata:ruleset community, service
sid:2071; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP lyris.pl access"; flow:to_server,established; content:"/lyris.pl";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP globals.pl access"; flow:to_server,established;
content:"/globals.pl"; http_uri; metadata:ruleset community, service
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Mambo uploadimage.php upload php file attempt";
flow:to_server,established; content:"/uploadimage.php"; http_uri;
content:"userfile_name="; content:".php"; distance:1; metadata:ruleset
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Mambo upload.php upload php file attempt";
flow:to_server,established; content:"/upload.php"; http_uri;
content:"userfile_name="; content:".php"; distance:1; metadata:ruleset
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Mambo uploadimage.php access"; flow:to_server,established;
content:"/uploadimage.php"; fast_pattern:only; http_uri; metadata:ruleset
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Mambo upload.php access"; flow:to_server,established;
content:"/upload.php"; fast_pattern:only; http_uri; metadata:ruleset
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phpBB privmsg.php access"; flow:to_server,established;
content:"/privmsg.php"; fast_pattern:only; http_uri; metadata:ruleset
nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmapdecode; sid:2079; rev:14;)
nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86
reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmapdecode; sid:2080; rev:13;)
rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4;
05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4;
rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86
05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8;
rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h";
depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4;
rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|
00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4;
distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset
community; reference:bugtraq,5072; reference:bugtraq,5075;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP parse_xml.cgi access"; flow:to_server,established;
content:"/parse_xml.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,20030053; reference:cve,2003-0423; classtype:web-application-activity;

sid:2085; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP streaming server parse_xml.cgi access";
flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only;
reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,20030052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:webapplication-activity; sid:2086; rev:14;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL From
comment overflow attempt"; flow:to_server,established; content:"From|
3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>";
distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1;
ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|";
byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|
7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4;
sid:2088; rev:15;)
ypupdated arbitrary command attempt TCP"; flow:to_server,established;
content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|";
byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00
sid:2089; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS WEBDAV exploit attempt"; flow:to_server,established;
content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; http_header;
content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A
0A|"; http_header; metadata:ruleset community, service http;
reference:nessus,11413; reference:url,technet.microsoft.com/enus/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090;
rev:22;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS WEBDAV nessus safe scan attempt"; flow:to_server,established;
content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|";
within:255; metadata:ruleset community, service http;
reference:nessus,11413; reference:url,technet.microsoft.com/enus/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091;
rev:16;)
proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86
A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4;

proxy integer overflow attempt TCP"; flow:to_server,established;
content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|";
sunrpc; reference:bugtraq,7123; reference:cve,2003-0028;
UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server;
sunrpc; reference:bugtraq,36615; reference:bugtraq,5356;
TCP CMSD_CREATE array buffer overflow attempt";
flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16;
SubSeven 2.1 Gold server connection response";
flow:to_client,established; content:"connected. time/date|3A| ";
depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:ruleset
community; reference:mcafee,10566; reference:nessus,10409;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS SMB Trans
Max Param/Count OS-WINDOWS attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3;
byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00
00|"; within:4; distance:5; metadata:ruleset community;
reference:url,www.corest.com/common/showdoc.php?idx=262;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2
OPEN2 unicode maximum param count overflow attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2";
within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR";
content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,12,relative,little; metadata:ruleset community; reference:cve,2003-0201;
# alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE

rexec username too long response"; flow:to_client,established;
content:"username too long"; depth:17; metadata:ruleset community;
reference:bugtraq,7459; reference:cve,2003-1097; classtype:unsuccessfuluser; sid:2104; rev:10;)
authenticate literal overflow attempt"; flow:established,to_server;
content:"AUTHENTICATE"; fast_pattern:only;
pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi";
sid:2105; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub
overflow attempt"; flow:to_server,established; content:"LSUB";
isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,1110; reference:bugtraq,15006;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create
buffer overflow attempt"; flow:to_server,established; content:"CREATE";
isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi";
reference:cve,2003-1470; classtype:misc-attack; sid:2107; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP CAPA
overflow attempt"; flow:to_server,established; content:"CAPA"; nocase;
isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP TOP
overflow attempt"; flow:to_server,established; content:"TOP"; nocase;
isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP STAT
overflow attempt"; flow:to_server,established; content:"STAT"; nocase;
isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE
overflow attempt"; flow:to_server,established; content:"DELE"; nocase;
isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP RSET
overflow attempt"; flow:to_server,established; content:"RSET"; nocase;
isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; metadata:ruleset
rexec username overflow attempt"; flow:to_server,established; content:"|
00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0;
rexec password overflow attempt"; flow:to_server,established; content:"|
00|"; content:"|00|"; distance:33; content:"|00|"; distance:0;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP album.pl access"; flow:to_server,established; content:"/album.pl";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP chipcfg.cgi access"; flow:to_server,established;
content:"/chipcfg.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Battleaxe Forum login.asp access"; flow:to_server,established;
content:"myaccount/login.asp"; nocase; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list
overflow attempt"; flow:established,to_server; content:"LIST"; nocase;
isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,1110; reference:bugtraq,15006;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename
literal overflow attempt"; flow:established,to_server; content:"RENAME";
fast_pattern:only; pcre:"/\sRENAME\s[^\n]*?\s\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create
literal buffer overflow attempt"; flow:to_server,established;
content:"CREATE"; fast_pattern:only; pcre:"/\sCREATE\s*\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE
negative argument attempt"; flow:to_server,established; content:"DELE";
fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; metadata:ruleset community,
service pop3; reference:bugtraq,6053; reference:bugtraq,7445;
sid:2121; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP UIDL
negative argument attempt"; flow:to_server,established; content:"UIDL";
fast_pattern:only; pcre:"/ÛIDL\s+-\d/smi"; metadata:ruleset community,
# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE Microsoft cmd.exe banner"; flow:established;
content:"Microsoft Windows"; depth:18; content:"|28|C|29| Copyright
1985-"; distance:0; content:"Microsoft Corp."; distance:0;
metadata:ruleset community; reference:nessus,11633; classtype:successfuladmin; sid:2123; rev:11;)
Remote PC Access connection"; flow:to_server,established; content:"|28 00
01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root

directory traversal attempt"; flow:to_server,established; content:"CWD";
nocase; content:"C|3A 5C|"; distance:1; metadata:ruleset community,
reference:nessus,11677; classtype:protocol-command-decode; sid:2125;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS
Microsoft Windows PPTP Start Control Request buffer overflow attempt";
flow:to_server,established,no_stream; isdataat:156; content:"|00 01|";
depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset
reference:nessus,11178; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ikonboard.cgi access"; flow:to_server,established;
content:"/ikonboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP swsrv.cgi access"; flow:to_server,established;
content:"/swsrv.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS nsiislog.dll access"; flow:to_server,established;
content:"/nsiislog.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS IISProtect siteadmin.asp access"; flow:to_server,established;
content:"/iisprotect/admin/SiteAdmin.asp"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS IISProtect access"; flow:to_server,established;
content:"/iisprotect/admin/"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS Synchrologic Email Accelerator userid list access attempt";
flow:to_server,established; content:"/en/admin/aggregate.asp"; nocase;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS MS BizTalk server access"; flow:to_server,established;
content:"/biztalkhttpreceive.dll"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS register.asp access"; flow:to_server,established;
content:"/register.asp"; nocase; http_uri; metadata:ruleset community,
sid:2134; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard.mdb access"; flow:to_server,established;
content:"/philboard.mdb"; http_uri; metadata:ruleset community, service
sid:2135; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard_admin.asp authentication bypass attempt";
flow:to_server,established; content:"/philboard_admin.asp"; http_uri;
content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0;
rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP philboard_admin.asp access"; flow:to_server,established;
content:"/philboard_admin.asp"; http_uri; metadata:ruleset community,
service http; reference:bugtraq,7739; reference:nessus,11675;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP logicworks.ini access"; flow:to_server,established;
content:"/logicworks.ini"; http_uri; metadata:ruleset community, service
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP /*.shtml access"; flow:to_server,established; content:"/*.shtml";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP p-news.php access"; flow:to_server,established; content:"/pnews.php"; fast_pattern:only; http_uri; metadata:ruleset community,
sid:2140; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shoutbox.php directory traversal attempt";
flow:to_server,established; content:"/shoutbox.php"; http_uri;
content:"conf="; content:"../"; distance:0; metadata:ruleset community,
sid:2141; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP shoutbox.php access"; flow:to_server,established;
content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf=";
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP b2 cafelog gm-2-b2.php remote file include attempt";
flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase;

http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP b2 cafelog gm-2-b2.php access"; flow:to_server,established;
content:"/gm-2-b2.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP TextPortal admin.php default password admin attempt";
flow:to_server,established; content:"/admin.php"; http_uri;
content:"op=admin_enter"; content:"password=admin"; fast_pattern:only;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP TextPortal admin.php default password 12345 attempt";
flow:to_server,established; content:"/admin.php"; http_uri;
content:"op=admin_enter"; content:"password=12345"; fast_pattern:only;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BLNews objects.inc.php4 remote file include attempt";
flow:to_server,established; content:"/objects.inc.php4"; http_uri;
content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BLNews objects.inc.php4 access"; flow:to_server,established;
content:"/objects.inc.php4"; http_uri; metadata:ruleset community,
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Turba status.php access"; flow:to_server,established;
content:"/turba/status.php"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttCMS header.php remote file include attempt";
flow:to_server,established; content:"/admin/templates/header.php";
fast_pattern; nocase; http_uri; content:"admin_root="; nocase; http_uri;
pcre:"/admin_root=(https?|ftps?|php)/Ui"; metadata:ruleset community,
rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttCMS header.php access"; flow:to_server,established;
content:"/admin/templates/header.php"; http_uri; metadata:ruleset

rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP test.php access"; flow:to_server,established; content:"/test.php";
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP autohtml.php directory traversal attempt";
flow:to_server,established; content:"/autohtml.php"; fast_pattern;
nocase; http_uri; content:"name="; content:"../../"; distance:0;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP autohtml.php access"; flow:to_server,established;
content:"/autohtml.php"; http_uri; metadata:ruleset community, service
sid:2154; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ttforum remote file include attempt"; flow:to_server,established;
content:"forum/index.php"; http_uri; content:"template="; http_uri;
pcre:"/template=(https?|ftps?|php)/Ui"; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP mod_gzip_status access"; flow:to_server,established;
content:"/mod_gzip_status"; http_uri; metadata:ruleset community, service
sid:2156; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS IISProtect globaladmin.asp access"; flow:to_server,established;
content:"/iisprotect/admin/GlobalAdmin.asp"; nocase; http_uri;
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length";
flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community;
reference:nessus,15043; reference:url,sf.net/tracker/index.php?
func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown;
sid:2158; rev:12;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP
invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2;
metadata:ruleset community; reference:bugtraq,6213; reference:cve,20021350; reference:nessus,14011; reference:nessus,15043; classtype:badunknown; sid:2159; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS SMB
startup folder access"; flow:to_server,established; content:"|00|";
depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and
Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|";
distance:0; nocase; metadata:ruleset community, service netbios-ssn;

startup folder unicode access"; flow:to_server,established; content:"|
00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|
00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|
00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p";
distance:0; nocase; metadata:ruleset community; classtype:attemptedrecon; sid:2177; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER
format string attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; pcre:"/ÛSER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,7474; reference:bugtraq,7776;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS
format string attempt"; flow:to_server,established; content:"PASS";
fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262;
reference:nessus,10490; reference:url,osvdb.org/show/osvdb/33813;
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent
announce request"; flow:to_server,established; content:"/announce";
content:"info_hash="; content:"peer_id="; content:"event=";
metadata:ruleset community, service http; classtype:policy-violation;
sid:2180; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent
transfer"; flow:to_server,established; content:"|13|BitTorrent protocol";
depth:20; metadata:ruleset community; classtype:policy-violation;
sid:2181; rev:8;)
Sendmail Content-Transfer-Encoding overflow attempt";
flow:to_server,established; content:"Content-Transfer-Encoding"; nocase;
content:"|3A|"; distance:0; isdataat:100,relative; content:!"|0A|";
within:100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A[^\n]{100}/mi";
TCP mount path overflow attempt"; flow:to_server,established; content:"|
00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4;
sid:2184; rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC
invalid bind attempt"; flow:to_server,established; content:"|05|";
depth:1; content:"|0B|"; within:1; distance:1;
byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21;
metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC
invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%";
depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56;
content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5;
nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1;
distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1;
distance:21; metadata:ruleset community, service netbios-ssn;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CSMailto.cgi access"; flow:to_server,established;
content:"/CSMailto.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP alert.cgi access"; flow:to_server,established;
content:"/alert.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP catgy.cgi access"; flow:to_server,established;
content:"/catgy.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvsview2.cgi access"; flow:to_server,established;
content:"/cvsview2.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cvslog.cgi access"; flow:to_server,established;
content:"/cvslog.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP multidiff.cgi access"; flow:to_server,established;
content:"/multidiff.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP dnewsweb.cgi access"; flow:to_server,established;
content:"/dnewsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Matt Wright download.cgi access"; flow:to_server,established;
content:"/download.cgi"; fast_pattern:only; http_uri; metadata:ruleset

rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Webmin Directory edit_action.cgi access";
flow:to_server,established; content:"/edit_action.cgi";
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Leif M. Wright everythingform.cgi access";
flow:to_server,established; content:"/everythingform.cgi";
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP EasyBoard 2000 ezadmin.cgi access"; flow:to_server,established;
content:"/ezadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP EasyBoard 2000 ezboard.cgi access"; flow:to_server,established;
content:"/ezboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP EasyBoard 2000 ezman.cgi access"; flow:to_server,established;
content:"/ezman.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP FileSeek fileseek.cgi access"; flow:to_server,established;
content:"/fileseek.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Faq-O-Matic fom.cgi access"; flow:to_server,established;
content:"/fom.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Infonautics getdoc.cgi access"; flow:to_server,established;
content:"/getdoc.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Multiple Vendors global.cgi access"; flow:to_server,established;
content:"/global.cgi"; fast_pattern:only; http_uri; metadata:ruleset

rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Lars Ellingsen guestserver.cgi access";
flow:to_server,established; content:"/guestserver.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiCentral WebStore imageFolio.cgi access";
flow:to_server,established; content:"/imageFolio.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oatmeal Studios Mail File mailfile.cgi access";
flow:to_server,established; content:"/mailfile.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP 3R Soft MailStudio 2000 mailview.cgi access";
flow:to_server,established; content:"/mailview.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Alabanza Control Panel nsManager.cgi access";
flow:to_server,established; content:"/nsManager.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ipswitch IMail readmail.cgi access"; flow:to_server,established;
content:"/readmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ipswitch IMail printmail.cgi access"; flow:to_server,established;
content:"/printmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle Cobalt RaQ service.cgi access"; flow:to_server,established;
content:"/service.cgi"; fast_pattern:only; http_uri; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Trend Micro Interscan VirusWall setpasswd.cgi access";
flow:to_server,established; content:"/setpasswd.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Leif M. Wright simplestmail.cgi access";
flow:to_server,established; content:"/simplestmail.cgi";
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiCentral WebStore ws_mail.cgi access";
flow:to_server,established; content:"/ws_mail.cgi"; fast_pattern:only;
rev:18;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi access";
flow:to_server,established; content:"/nph-exploitscanget.cgi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established;
content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Psunami Bulletin Board psunami.cgi access";
flow:to_server,established; content:"/psunami.cgi"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Linksys BEFSR41 gozila.cgi access"; flow:to_server,established;
content:"/gozila.cgi"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pmachine remote file include attempt"; flow:to_server,established;
content:"lib.inc.php"; fast_pattern; nocase; http_uri;
content:"pm_path="; http_uri; pcre:"/pm_path=(https?|ftps?|php)/Ui";

rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP forum_details.php access"; flow:to_server,established;
content:"forum_details.php"; http_uri; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phpMyAdmin db_details_importdocsql.php access";
flow:to_server,established; content:"db_details_importdocsql.php";
reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP viewtopic.php access"; flow:to_server,established;
content:"/viewtopic.php"; fast_pattern; nocase; http_uri;
content:"days="; nocase; http_uri; metadata:ruleset community, service
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP NetGear router default password login attempt admin/password";
http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header;
pcre:"/Âuthorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smi
H"; metadata:ruleset community, service http; reference:nessus,11737;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP register.dll access"; flow:to_server,established;
content:"/register.dll"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ContentFilter.dll access"; flow:to_server,established;
content:"/ContentFilter.dll"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SFNofitication.dll access"; flow:to_server,established;
content:"/SFNofitication.dll"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP TOP10.dll access"; flow:to_server,established;
content:"/TOP10.dll"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SpamExcp.dll access"; flow:to_server,established;
content:"/SpamExcp.dll"; fast_pattern:only; http_uri; metadata:ruleset

rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP spamrule.dll access"; flow:to_server,established;
content:"/spamrule.dll"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cgiWebupdate.exe access"; flow:to_server,established;
content:"/cgiWebupdate.exe"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebLogic ConsoleHelp view source attempt";
flow:to_server,established; content:"/ConsoleHelp/"; nocase; http_uri;
content:".jsp"; fast_pattern:only; http_uri; metadata:ruleset community,
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP redirect.exe access"; flow:to_server,established;
content:"/redirect.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP changepw.exe access"; flow:to_server,established;
content:"/changepw.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cwmail.exe access"; flow:to_server,established;
content:"/cwmail.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ddicgi.exe access"; flow:to_server,established;
content:"/ddicgi.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ndcgi.exe access"; flow:to_server,established;
content:"/ndcgi.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP VsSetCookie.exe access"; flow:to_server,established;
content:"/VsSetCookie.exe"; fast_pattern:only; http_uri; metadata:ruleset

rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Webnews.exe access"; flow:to_server,established;
content:"/Webnews.exe"; fast_pattern:only; http_uri; metadata:ruleset
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP webadmin.dll access"; flow:to_server,established;
content:"/webadmin.dll"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS UploadScript11.asp access"; flow:to_server,established;
content:"/UploadScript11.asp"; nocase; http_uri; metadata:ruleset
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS DirectoryListing.asp access"; flow:to_server,established;
content:"/DirectoryListing.asp"; nocase; http_uri; metadata:ruleset
community, service http; reference:cve,2001-0938; classtype:webapplication-activity; sid:2248; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS /pcadmin/login.asp access"; flow:to_server,established;
content:"/pcadmin/login.asp"; nocase; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER
format string attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; pcre:"/ÛSER\s+[^\n]*?%/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,10976; reference:bugtraq,7667;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS SMB-DS
DCERPC Remote Activation bind attempt"; flow:to_server,established;
content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2;
distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12;
distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1;
distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86
1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets;
metadata:ruleset community, service netbios-ssn; reference:bugtraq,8234;
XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50";
fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:ruleset

rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
sadmind query with root credentials attempt TCP";
flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16;
content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4;
byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4;
metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC
sadmind query with root credentials attempt UDP"; flow:to_server;
content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00
00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00
00 00 00|"; within:4; metadata:ruleset community, service sunrpc;
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC
Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2;
byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative;
byte_jump:4,8,little,align,relative;
byte_test:4,>,1024,0,little,relative; metadata:ruleset community;
rev:15;)
DCERPC Messenger Service buffer overflow attempt";
flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4;
nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|
00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|";
within:2; byte_test:1,>,15,2,relative;
byte_test:4,>,1024,0,little,relative; metadata:ruleset community, service
netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EXPN
overflow attempt"; flow:to_server,established; content:"EXPN"; nocase;
isdataat:255,relative; pcre:"/ÊXPN[^\n]{255}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL VRFY
overflow attempt"; flow:to_server,established; content:"VRFY"; nocase;
isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:ruleset
Sendmail SEND FROM prescan too many addresses overflow";
flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only;
pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991;
Sendmail SEND FROM prescan too long addresses overflow";
flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only;
pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
{200}/smi"; metadata:ruleset community, service smtp;
Sendmail SAML FROM prescan too many addresses overflow";
flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only;
pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
Sendmail SAML FROM prescan too long addresses overflow";
flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only;
pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
Sendmail SOML FROM prescan too many addresses overflow";
flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only;
pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
Sendmail SOML FROM prescan too long addresses overflow";
flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only;
pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]

Sendmail MAIL FROM prescan too many addresses overflow";
flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only;
pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
Sendmail MAIL FROM prescan too long addresses overflow";
flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only;
pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
Sendmail RCPT TO prescan too many addresses overflow";
flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only;
pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?
Sendmail RCPT TO prescan too long addresses overflow";
flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only;
pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]
FsSniffer connection attempt"; flow:to_server,established;
content:"RemoteNC Control Password|3A|"; metadata:ruleset community;
integer overflow attempt"; flow:to_server,established; content:"LIST";
fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset
sid:2272; rev:13;)
brute force attempt"; flow:to_server,established; content:"LOGIN";
fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30;
metadata:ruleset community, service imap; classtype:suspicious-login;
sid:2273; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login

brute force attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30;
metadata:ruleset community, service pop3; classtype:suspicious-login;
sid:2274; rev:9;)
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH
LOGON brute force attempt"; flow:to_client,established;
content:"Authentication unsuccessful"; offset:54; nocase;
detection_filter:track by_dst, count 5, seconds 60; metadata:ruleset
community, service smtp; classtype:suspicious-login; sid:2275; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP oracle portal demo access"; flow:to_server,established;
content:"/pls/portal/PORTAL_DEMO"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PeopleSoft PeopleBooks psdoccgi access";
flow:to_server,established; content:"/psdoccgi"; fast_pattern:only;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP client negative Content-Length attempt";
flow:to_server,established; content:"Content-Length|3A|"; nocase;
byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:ruleset
reference:cve,2006-2162; reference:cve,2006-3655; classtype:misc-attack;
sid:2278; rev:29;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP UpdateClasses.php access"; flow:to_server,established;
content:"/UpdateClasses.php"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Title.php access"; flow:to_server,established;
content:"/Title.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Setup.php access"; flow:to_server,established;
content:"/Setup.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP GlobalFunctions.php access"; flow:to_server,established;
content:"/GlobalFunctions.php"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DatabaseFunctions.php access"; flow:to_server,established;
content:"/DatabaseFunctions.php"; fast_pattern:only; http_uri;

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rolis guestbook remote file include attempt";
flow:to_server,established; content:"/insert.inc.php"; fast_pattern;
nocase; http_uri; content:"path="; metadata:ruleset community, service
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP rolis guestbook access"; flow:to_server,established;
content:"/insert.inc.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP friends.php access"; flow:to_server,established;
content:"/friends.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_comment.php access";
flow:to_server,established; content:"/admin_comment.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_edit.php access"; flow:to_server,established;
content:"/admin_edit.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2288; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_embed.php access"; flow:to_server,established;
content:"/admin_embed.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2289; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_help.php access"; flow:to_server,established;
content:"/admin_help.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2290; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_license.php access";
flow:to_server,established; content:"/admin_license.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_logout.php access";
flow:to_server,established; content:"/admin_logout.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_password.php access";
flow:to_server,established; content:"/admin_password.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_preview.php access";
flow:to_server,established; content:"/admin_preview.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_settings.php access";
flow:to_server,established; content:"/admin_settings.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_stats.php access"; flow:to_server,established;
content:"/admin_stats.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2296; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_templates_misc.php access";
flow:to_server,established; content:"/admin_templates_misc.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_templates.php access";
flow:to_server,established; content:"/admin_templates.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_tpl_misc_new.php access";
flow:to_server,established; content:"/admin_tpl_misc_new.php";

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll admin_tpl_new.php access";
flow:to_server,established; content:"/admin_tpl_new.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll booth.php access"; flow:to_server,established;
content:"/booth.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2301; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll poll_ssi.php access"; flow:to_server,established;
content:"/poll_ssi.php"; fast_pattern:only; http_uri; metadata:ruleset
sid:2302; rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Advanced Poll popup.php access"; flow:to_server,established;
content:"/popup.php"; fast_pattern; nocase; http_uri;
content:"include_path="; nocase; http_uri; metadata:ruleset community,
sid:2303; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP files.inc.php access"; flow:to_server,established;
content:"/files.inc.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP chatbox.php access"; flow:to_server,established;
content:"/chatbox.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP gallery remote file include attempt"; flow:to_server,established;
content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri;
pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:ruleset
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PayPal Storefront remote file include attempt";
flow:to_server,established; content:"do=ext"; http_uri; content:"page=";
http_uri; pcre:"/page=(https?|ftps?|php)/Ui"; metadata:ruleset community,
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATORCOMPROMISE CVS non-relative path error response";
flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot
make directory CVS in /"; fast_pattern:only; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS
non-relative path access attempt"; flow:to_server,established;
content:"Argument"; pcre:"/Ârgument\s+\//smi"; pcre:"/^Directory/smiR";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola
PASS overflow attempt"; flow:to_server,established; content:"PASS";
fast_pattern:only; pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset
community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola
USER overflow attempt"; flow:to_server,established; content:"USER";
fast_pattern:only; pcre:"/ÛSER\s[^\n]{49}/smi"; metadata:ruleset
community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320;
rev:7;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS foxweb.exe access"; flow:to_server,established;
content:"/foxweb.exe"; nocase; http_uri; metadata:ruleset community,
sid:2321; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS foxweb.dll access"; flow:to_server,established;
content:"/foxweb.dll"; nocase; http_uri; metadata:ruleset community,
sid:2322; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP iSoft-Solutions QuickStore shopping cart quickstore.cgi access";
flow:to_server,established; content:"/quickstore.cgi"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS VP-ASP shopsearch.asp access"; flow:to_server,established;
content:"/shopsearch.asp"; nocase; http_uri; metadata:ruleset community,
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established;
content:"/ShopDisplayProducts.asp"; nocase; http_uri; metadata:ruleset
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS sgdynamo.exe access"; flow:to_server,established;
content:"/sgdynamo.exe"; nocase; http_uri; metadata:ruleset community,

rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP bsml.pl access"; flow:to_server,established; content:"/bsml.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP authentication_index.php access"; flow:to_server,established;
content:"/authentication_index.php"; fast_pattern:only; http_uri;
rev:15;)
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL
probe response overflow attempt"; flow:to_server; content:"|05|";
depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0;
isdataat:512,relative; content:!"|3B|"; within:512; metadata:ruleset
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth
overflow attempt"; flow:to_server,established; content:"AUTH";
isdataat:368,relative; content:!"|0A|"; within:368; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP MatrikzGB privilege escalation attempt";
flow:to_server,established; content:"new_rights=admin";
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD
format string attempt"; flow:to_server,established; content:"MKD";
fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,9262; classtype:misc-attack;
sid:2332; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME
format string attempt"; flow:to_server,established; content:"RENAME";
fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak!
FTP server default account login attempt"; flow:to_server,established;
content:"USER"; nocase; content:"y049575046"; fast_pattern:only;
pcre:"/ÛSER\s+y049575046/smi"; metadata:ruleset community;
reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:10;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD /
attempt"; flow:to_server,established; content:"RMD"; fast_pattern:only;
pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community;
reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10;)
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow
attempt"; flow:to_server; content:"|00|"; depth:1;
byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|";
within:100; distance:2; metadata:ruleset community;

reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,20092958; reference:nessus,18264; classtype:attempted-admin; sid:2337;
rev:20;)
buffer overflow attempt"; flow:to_server,established; content:"LIST";
nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi";
reference:bugtraq,14339; reference:bugtraq,33454;
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL
command attempt"; flow:to_server; content:"|00 00|"; depth:2;
metadata:ruleset community; reference:bugtraq,7575; classtype:badunknown; sid:2339; rev:8;)
CHMOD overflow attempt"; flow:to_server,established; content:"SITE";
nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative;
pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community,
service ftp; reference:bugtraq,10181; reference:bugtraq,9483;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DCP-Portal remote file include editor script attempt";
flow:to_server,established; content:"/library/editor/editor.php";
fast_pattern; nocase; http_uri; content:"root="; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP DCP-Portal remote file include lib script attempt";
flow:to_server,established; content:"/library/lib.php"; fast_pattern;
nocase; http_uri; content:"root="; http_uri; metadata:ruleset community,
sid:2342; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOR
overflow attempt"; flow:to_server,established; content:"STOR"; nocase;
isdataat:200,relative; pcre:"/^STOR(?!\n)\s[^\n]{200}/smi";
reference:cve,2000-0133; reference:url,osvdb.org/show/osvdb/94624;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XCWD
overflow attempt"; flow:to_server,established; content:"XCWD"; nocase;
isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView search.php access"; flow:to_server,established;
content:"/search.php"; nocase; http_uri; content:"action=soundex";
fast_pattern; nocase; http_uri; content:"firstname="; nocase; http_uri;
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myPHPNuke chatheader.php access"; flow:to_server,established;
content:"/chatheader.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myPHPNuke partner.php access"; flow:to_server,established;
content:"/partner.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IdeaBox cord.php file include"; flow:to_server,established;
content:"/index.php"; nocase; http_uri; content:"ideaDir=";
fast_pattern:only; content:"cord.php"; nocase; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IdeaBox notification.php file include";
flow:to_server,established; content:"/index.php"; nocase; http_uri;
content:"gorumDir="; fast_pattern:only; content:"notification.php";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Board emailer.php file include";
flow:to_server,established; content:"/ad_member.php"; fast_pattern;
nocase; http_uri; content:"emailer.php"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebChat db_mysql.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"db_mysql.php"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WebChat english.php file include"; flow:to_server,established;
content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase;
content:"english.php"; fast_pattern:only; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Typo3 translations.php file include"; flow:to_server,established;
content:"/translations.php"; fast_pattern; nocase; http_uri;
content:"ONLY="; nocase; metadata:ruleset community, service http;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Board ipchat.php file include";
flow:to_server,established; content:"/ipchat.php"; nocase; http_uri;
content:"root_path="; content:"conf_global.php"; fast_pattern:only;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP myphpPagetool pt_config.inc file include";
flow:to_server,established; content:"/doc/admin"; nocase; http_uri;
content:"ptinclude="; nocase; content:"pt_config.inc"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP news.php file include"; flow:to_server,established;
content:"/news.php"; fast_pattern; nocase; http_uri; content:"template=";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP YaBB SE packages.php file include"; flow:to_server,established;
content:"/packages.php"; fast_pattern; nocase; http_uri;
content:"packer.php"; nocase; metadata:ruleset community, service http;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cyboards default_header.php access"; flow:to_server,established;
content:"/default_header.php"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Cyboards options_form.php access"; flow:to_server,established;
content:"/options_form.php"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP newsPHP Language file include attempt";
flow:to_server,established; content:"/nphpd.php"; fast_pattern; nocase;
http_uri; content:"LangFile"; nocase; metadata:ruleset community, service
sid:2365; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV authentication_index.php base directory
manipulation attempt"; flow:to_server,established;
content:"/authentication_index.php"; nocase; http_uri;
content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV functions.php base directory manipulation attempt";
flow:to_server,established; content:"/functions.php"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV config_gedcom.php base directory manipulation
attempt"; flow:to_server,established; content:"/config_gedcom.php";
nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only;
rev:12;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ISAPISkeleton.dll access"; flow:to_server,established;
content:"/ISAPISkeleton.dll"; fast_pattern:only; http_uri;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP BugPort config.conf file access"; flow:to_server,established;
content:"/config.conf"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Sample_showcode.html access"; flow:to_server,established;
content:"/Sample_showcode.html"; nocase; http_uri; content:"fname";
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Photopost PHP Pro showphoto.php access";
flow:to_server,established; content:"/showphoto.php"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD
overflow attempt"; flow:to_server,established; content:"XMKD"; nocase;
isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST
overflow attempt"; flow:to_server,established; content:"NLST"; nocase;
isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi";
reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin;
sid:2374; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC
DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established;
content:"|85 13|<|9E A2|"; depth:5; metadata:ruleset community;
reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.d
oomjuice.html; classtype:trojan-activity; sid:2375; rev:9;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP
first payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1;
offset:16; byte_test:2,>,2043,30; metadata:ruleset community;

second payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1;
offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative;
third payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|";
within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,2,relative; metadata:ruleset community; reference:bugtraq,9582;
forth payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,2,relative; content:"|07|"; within:1; distance:-4;
byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:ruleset
fifth payload certificate request length overflow attempt";
flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability
attempt"; flow:to_server,established; content:"|3A|/"; offset:11;
http_uri; pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:ruleset
Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3;
byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R";
byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP";
within:7; distance:27; asn1:double_overflow, bitstring_overflow,
relative_offset 27, oversize_length 2048; metadata:ruleset community;
Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established;
content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3;
byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R";
relative_offset 27, oversize_length 2048; metadata:ruleset community,
service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established;
content:"Authorization|3A|"; nocase; http_header; content:"Negotiate";
within:20; nocase; http_header;
content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM";
within:100; http_header; metadata:ruleset community, service http;
reference:nessus,12052; reference:nessus,12055; reference:nessus,12065;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Apple QuickTime streaming server view_broadcast.cgi access";
flow:to_server,established; content:"/view_broadcast.cgi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO
overflow attempt"; flow:to_server,established; content:"RNTO"; nocase;
isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU
overflow attempt"; flow:to_server,established; content:"STOU"; nocase;
isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE
overflow attempt"; flow:to_server,established; content:"APPE"; nocase;
isdataat:200,relative; pcre:"/ÂPPE(?!\n)\s[^\n]{200}/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR
overflow attempt"; flow:to_server,established; content:"RETR"; nocase;
isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi";
reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,20053683; classtype:attempted-admin; sid:2392; rev:21;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP /_admin access"; flow:to_server,established; content:"/_admin/";
Compaq web-based management agent denial of service attempt";
flow:to_server,established; content:"<!"; depth:75; content:">";
within:50; metadata:ruleset community; reference:bugtraq,8014;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP InteractiveQuery.jsp access"; flow:to_server,established;
content:"/InteractiveQuery.jsp"; fast_pattern:only; http_uri;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CCBill whereami.cgi arbitrary command execution attempt";
flow:to_server,established; content:"/whereami.cgi?"; nocase; http_uri;
content:"g="; distance:0; nocase; http_uri; metadata:ruleset community,
service http; reference:bugtraq,8095;
reference:url,secunia.com/advisories/9191/; classtype:web-applicationattack; sid:2396; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP CCBill whereami.cgi access"; flow:to_server,established;
content:"/whereami.cgi"; fast_pattern:only; http_uri; metadata:ruleset
reference:url,secunia.com/advisories/9191/; classtype:web-applicationactivity; sid:2397; rev:16;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WAnewsletter newsletter.php file include attempt";
flow:to_server,established; content:"newsletter.php"; nocase; http_uri;
content:"waroot"; fast_pattern:only; content:"start.php"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP WAnewsletter db_type.php access"; flow:to_server,established;
content:"/sql/db_type.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP edittag.pl access"; flow:to_server,established;
content:"/edittag.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session
Setup andx username overflow attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!
&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00|"; within:255;
distance:29; metadata:ruleset community; reference:bugtraq,9752;
reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS
Session Setup andx username overflow attempt"; flow:stateless; content:"|
00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
&,128,6,relative; content:"s"; depth:1; offset:39;
&,2147483648,21,relative,little; content:!"|00|"; within:255;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session
Setup unicode username overflow attempt"; flow:stateless; content:"|00|";
depth:1; content:"|FF|SMBs"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!
&,2147483648,21,relative,little; content:!"|00 00|"; within:510;
distance:29; metadata:ruleset community; reference:bugtraq,9752;
Session Setup unicode andx username overflow attempt"; flow:stateless;
content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39;
&,2147483648,21,relative,little; content:!"|00 00|"; within:510;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP phptest.php access"; flow:to_server,established;
content:"/phptest.php"; fast_pattern:only; http_uri; metadata:ruleset
APC SmartSlot default admin account attempt"; flow:to_server,established;
content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset
community, service telnet; reference:bugtraq,9681; reference:cve,20040311; reference:nessus,12066; classtype:suspicious-login; sid:2406;
rev:13;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP util.pl access"; flow:to_server,established; content:"/util.pl";
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Invision Power Board search.pl access";
flow:to_server,established; content:"/search.pl"; http_uri;
content:"st="; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP
USER overflow attempt"; flow:to_server,established; content:"APOP";
nocase; isdataat:256,relative; pcre:"/ÂPOP\s+USER\s[^\n]{256}/smi";
metadata:ruleset community, service pop3; reference:bugtraq,9794;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP IGeneric Free Shopping Cart page.php access";
flow:to_server,established; content:"/page.php"; fast_pattern:only;

rev:14;)
RealNetworks RealSystem Server DESCRIBE buffer overflow attempt";
flow:to_server,established; content:"DESCRIBE"; nocase; content:"../";
distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; metadata:ruleset
reference:url,www.service.real.com/help/faq/security/rootexploit091103.ht
ml; classtype:web-application-attack; sid:2411; rev:16;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE
successful cross site scripting forced download attempt";
flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|";
metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;)
delete hash with empty hash attempt"; flow:to_server; content:"|08|";
depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00
04|"; depth:2; offset:30; metadata:ruleset community;
initial contact notification without SPI attempt"; flow:to_server;
content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06
second payload initial contact notification without SPI attempt";
flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30;
content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2;
sid:2415; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid
MDTM command attempt"; flow:to_server,established; content:"MDTM";
fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format
string attempt"; flow:to_server,established; content:"%";
fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:policy security-ips
drop, ruleset community, service ftp; reference:bugtraq,15352;
reference:url,osvdb.org/show/osvdb/33813; classtype:string-detect;
sid:2417; rev:15;)
Microsoft Windows Terminal Server no encryption session initiation
attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3;
content:"|00|"; depth:1; offset:288; metadata:ruleset community;
reference:cve,2001-0663; reference:url,technet.microsoft.com/enus/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418;
rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .ram playlist file download request";
flow:to_server,established; content:".ra"; fast_pattern:only; http_uri;
pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU";
flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:ruleset
community, service http; reference:url,en.wikipedia.org/wiki/.ram;
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
RealNetworks Realplayer .rmp playlist file download request";
flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri;
pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .rt playlist file download request";
flow:to_server,established; content:".rt"; fast_pattern:only; http_uri;
pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU";
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY RealNetworks Realplayer .rp playlist file download request";
flow:to_server,established; content:".rp"; fast_pattern:only; http_uri;
pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU";
sendsys overflow attempt"; flow:to_server,established; content:"sendsys";
fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset
senduuname overflow attempt"; flow:to_server,established;
content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]
{21}/smi"; metadata:ruleset community; reference:bugtraq,9382;
version overflow attempt"; flow:to_server,established; content:"version";
fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset
checkgroups overflow attempt"; flow:to_server,established;
content:"checkgroups"; fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]
{21}/smi"; metadata:ruleset community; reference:bugtraq,9382;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave
overflow attempt"; flow:to_server,established; content:"ihave";
fast_pattern:only; pcre:"/îhave\x3a[^\n]{21}/smi"; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendme
overflow attempt"; flow:to_server,established; content:"sendme";
fast_pattern:only; pcre:"/^sendme\x3a[^\n]{21}/smi"; metadata:ruleset
newgroup overflow attempt"; flow:to_server,established;
content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]
{32}/smi"; metadata:ruleset community, service nntp;
rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup";
fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset
community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045;
article post without path attempt"; flow:to_server,established;
content:"takethis"; fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?
[\r]{0,1}?\n[\r]{0,1}\n/si"; metadata:ruleset community;
MDaemon form2raw.cgi overflow attempt"; flow:to_server,established;
content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]
{100}/si"; metadata:ruleset community; reference:bugtraq,9317;
reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP MDaemon form2raw.cgi access"; flow:to_server,established;
content:"/form2raw.cgi"; fast_pattern:only; metadata:ruleset community,
reference:url,secunia.com/advisories/10512/; classtype:web-applicationactivity; sid:2434; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY
Microsoft emf file download request"; flow:to_server,established;
content:".emf"; fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|
$)/smiU"; flowbits:set,file.emf; metadata:ruleset community, service
http; reference:bugtraq,10120; reference:bugtraq,28819;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILEIDENTIFY Microsoft Windows Audio wmf file download request";
flow:to_server,established; content:".wmf"; fast_pattern:only; http_uri;
pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmf;
flowbits:noalert; metadata:ruleset community, service http;
reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity;
sid:2436; rev:25;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt";
flow:to_client,established; content:"application/smi"; fast_pattern;
nocase; http_header; file_data; content:"file|3A|javascript|3A|";
pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi";
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt";
flow:to_client,established; flowbits:isset,file.realplayer.playlist;
file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]
{400}/smi"; metadata:ruleset community, service ftp-data, service http,
service imap, service pop3; reference:bugtraq,13264;
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt";
file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt";
file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP NetObserve authentication bypass attempt";
flow:to_server,established; content:"login=0"; nocase; content:"login=0";
nocase; http_cookie; metadata:ruleset community, service http;
rev:14;)
# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ
SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm";
flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2;
distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|
00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|";
within:2; distance:5; byte_test:2,>,512,-11,relative,little;
metadata:ruleset community; reference:cve,2004-0362;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ServletManager access"; flow:to_server,established;
content:"/servlet/ServletManager"; fast_pattern:only; http_uri;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP setinfo.hts access"; flow:to_server,established;
content:"/setinfo.hts"; fast_pattern:only; http_uri; metadata:ruleset
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO
overflow attempt"; flow:to_server,established; content:"ALLO"; nocase;
isdataat:200,relative; pcre:"/ÂLLO(?!\n)\s[^\n]{200}/smi";
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo
IM successful logon"; flow:to_client,established; content:"YMSG";
depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:ruleset
IM voicechat"; flow:to_client,established; content:"YMSG"; depth:4;
nocase; content:"|00|J"; depth:2; offset:10; metadata:ruleset community;
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo
IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase;
content:"|00 12|"; depth:2; offset:10; metadata:ruleset community;
IM conference invitation"; flow:to_client,established; content:"YMSG";
IM conference logon success"; flow:to_client,established; content:"YMSG";
IM conference message"; flow:to_server,established; content:"YMSG";
depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:ruleset
Messenger File Transfer Receive Request"; flow:established;
content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10;
# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message";
flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset
IM successful chat join"; flow:to_client,established; content:"YMSG";
IM conference offer invitation"; flow:to_server,established;
content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10;
IM conference request"; flow:to_server,established; content:"<R";
depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:ruleset

IM conference watch"; flow:to_client,established; content:"|0D 00 05
00|"; depth:4; metadata:ruleset community; classtype:policy-violation;
sid:2461; rev:10;)
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP
account overflow attempt"; ip_proto:2; byte_test:1,>,63,0;
byte_test:1,<,67,0; byte_test:1,>,16,12; metadata:ruleset community;
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP
message overflow attempt"; ip_proto:2; byte_test:1,>,63,0;
byte_test:1,<,67,0; byte_test:1,>,64,13; metadata:ruleset community;
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix
length overflow attempt"; ip_proto:88; byte_test:1,>,32,44;
metadata:ruleset community; reference:bugtraq,9952; reference:cve,20040176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464;
rev:10;)
ADMIN$ share access"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative;
content:"ADMIN|24 00|"; distance:2; nocase; metadata:ruleset community,
service netbios-ssn; classtype:protocol-command-decode; sid:2474;
rev:10;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP source.jsp access"; flow:to_server,established;
content:"/source.jsp"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
(msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX
clsid access"; flow:to_client,established; file_data; content:"0534CF6183C5-4765-B19B-45F7A4E135D0"; fast_pattern:only; metadata:ruleset
community, service ftp-data, service http, service imap, service pop3;
sid:2485; rev:17;)
invalid identification payload attempt"; flow:to_server; content:"|05|";
depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32;
byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30;
metadata:ruleset community; reference:bugtraq,10004; reference:cve,20040184; classtype:attempted-dos; sid:2486; rev:13;)
WinZip MIME content-type buffer overflow"; flow:to_server,established;
content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.
(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|
boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community,

WinZip MIME content-disposition buffer overflow";
flow:to_server,established; content:"Content-Type|3A|";
fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|
xxe)/smi"; content:"Content-Disposition|3A|"; nocase;
pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal
STREAMQUOTE buffer overflow attempt"; flow:to_server,established;
content:"<STREAMQUOTE>"; nocase; isdataat:1040,relative;
content:!"</STREAMQUOTE>"; within:1040; nocase; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal
SNAPQUOTE buffer overflow attempt"; flow:to_server,established;
content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative;
content:!"</SNAPQUOTE>"; within:1052; nocase; metadata:ruleset community;
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer
overflow attempt"; flow:to_server,established; dce_iface:3919286a-b10c11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data;
byte_test:4,>,256,0,dce; metadata:ruleset community, service netbios-ssn;
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OSWINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow
attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9;
dce_stub_data; byte_test:4,>,256,0,dce; metadata:ruleset community,
service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533;
rev:21;)
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP
spoofed connection reset attempt"; flow:established; flags:RSF*;
detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset
reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP
FPLoginExt username buffer overflow attempt"; flow:to_server,established;
content:"|00 02|"; depth:2; content:"?"; within:1; distance:14;
content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative;
byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community;
reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM
overflow attempt"; flow:to_server,established; content:"MDTM"; nocase;
isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi";

# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-OTHER HP Web
JetAdmin remote file upload attempt"; flow:to_server,established;
content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts";
fast_pattern:only; content:"Content-Type|3A|"; nocase; http_header;
content:"Multipart"; nocase; http_header; metadata:ruleset community,
JetAdmin setinfo access"; flow:to_server,established;
content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only;
metadata:ruleset community; reference:bugtraq,9972; reference:cve,20041857; reference:nessus,12120; classtype:web-application-activity;
sid:2548; rev:7;)
JetAdmin file write attempt"; flow:to_server,established;
content:"/plugins/framework/script/tree.xms"; fast_pattern:only;
content:"WriteToFile"; nocase; metadata:ruleset community;
rev:5;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEOTHER Nullsoft Winamp XM file buffer overflow attempt";
flow:to_client,established; flowbits:isset,file.xm; file_data;
content:"Extended Module|3A 20|"; nocase; byte_test:1,!=,26,20,relative;
service pop3; reference:cve,2004-1896;
reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user;
sid:2550; rev:9;)
Oracle Web Cache GET overflow attempt"; flow:to_server,established;
content:"GET"; pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache HEAD overflow attempt"; flow:to_server,established;
content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache PUT overflow attempt"; flow:to_server,established;
content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache POST overflow attempt"; flow:to_server,established;
content:"POST"; pcre:"/^POST[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache TRACE overflow attempt"; flow:to_server,established;
content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; metadata:ruleset community;

Oracle Web Cache DELETE overflow attempt"; flow:to_server,established;
content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; metadata:ruleset
Oracle Web Cache LOCK overflow attempt"; flow:to_server,established;
content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established;
content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache COPY overflow attempt"; flow:to_server,established;
content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community;
Oracle Web Cache MOVE overflow attempt"; flow:to_server,established;
content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync
backup-dir directory traversal attempt"; flow:to_server,established;
content:"--backup-dir"; fast_pattern:only; pcre:"/--backupdir\s+\x2e\x2e\x2f/"; metadata:ruleset community;
classtype:string-detect; sid:2561; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee
ePO file upload attempt"; flow:to_server,established;
content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase;
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup
response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|";
depth:2; offset:6; byte_test:1,>,32,12; metadata:ruleset community,
service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444;
reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html;
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup
short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00
01|"; depth:2; offset:6; metadata:ruleset community, service netbios-ns;
reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP modules.php access"; flow:to_server,established;
content:"/modules.php"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PHPBB viewforum.php access"; flow:to_server,established;
content:"/viewforum.php"; nocase; http_uri; content:"topic_id=";
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Emumail init.emu access"; flow:to_server,established;
content:"/init.emu"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Emumail emumail.fcgi access"; flow:to_server,established;
content:"/emumail.fcgi"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP cPanel resetpass access"; flow:to_server,established;
content:"/resetpass"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Invalid HTTP Version String"; flow:to_server,established;
content:"HTTP/"; depth:300; nocase; content:!"|0D 0A|"; within:2;
distance:3; content:!"1.0"; within:3; content:!"1.1"; within:3;
classtype:non-standard-protocol; sid:2570; rev:20;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail frmGetAttachment.aspx access";
flow:to_server,established; content:"/frmGetAttachment.aspx"; nocase;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail login.aspx buffer overflow attempt";
flow:to_server,established; content:"/login.aspx"; nocase; http_uri;
content:"txtusername="; isdataat:980,relative; content:!"|0A|";
within:980; nocase; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS SmarterTools SmarterMail frmCompose.asp access";
flow:to_server,established; content:"/frmCompose.aspx"; nocase; http_uri;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR
format string attempt"; flow:to_server,established; content:"RETR";
fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Opt-X header.php remote file include attempt";
flow:to_server,established; content:"/header.php"; nocase; http_uri;
content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|
ftps?|php)/i"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_replication_support buffer overflow attempt";
content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|
package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|
procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community;
reference:url,www.appsecinc.com/Policy/PolicyCheck93.html;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER
local resource redirection attempt"; flow:to_client,established;
content:"Location|3A|"; nocase; http_header;
pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/smiH"; metadata:ruleset
reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user;
sid:2577; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos
principal name overflow UDP"; flow:to_server; content:"j"; depth:1;
content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1;
metadata:ruleset community, service kerberos; reference:cve,2003-0072;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005buf.txt; classtype:attempted-admin; sid:2578; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos
principal name overflow TCP"; flow:to_server,established; content:"j";
depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length
1024,relative_offset -1; metadata:ruleset community, service kerberos;
reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005buf.txt; classtype:attempted-admin; sid:2579; rev:7;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVERWEBAPP server negative Content-Length attempt";
flow:to_client,established; content:"Content-Length"; nocase;
pcre:"/^Content-Length\s*\x3a\s*-\d+/mi"; metadata:ruleset community,
reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin;
sid:2580; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP SAP Crystal Reports crystalimagehandler.aspx access";
flow:to_server,established; content:"/crystalimagehandler.aspx";
reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OSWINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal
attempt"; flow:to_server,established; content:"/crystalimagehandler";
fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS
Max-dotdot integer overflow attempt"; flow:to_server,established;
content:"Max-dotdot"; fast_pattern:only; pcre:"/^Maxdotdot[\s\r\n]*\d{3,}/msi"; metadata:ruleset community;
sid:2583; rev:8;)
# alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER
eMule buffer overflow attempt"; flow:to_client,established;
content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]
+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP nessus 2.x 404 probe"; flow:to_server,established;
content:"/NessusTest"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey
server response"; flow:established,to_client; content:"Server|3A| eMule";
fast_pattern:only; metadata:ruleset community; reference:url,www.emuleproject.net; classtype:policy-violation; sid:2587; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP TUTOS path disclosure attempt"; flow:to_server,established;
content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset
reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS
Microsoft Windows Content-Disposition CLSID command attempt";
flow:to_client,established; content:"Content-Disposition|3A|"; nocase;
http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\
{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH";
reference:cve,2004-0420; reference:url,technet.microsoft.com/enus/security/bulletin/ms04-024; classtype:attempted-user; sid:2589;
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Samba SWAT Authorization overflow attempt";
http_header; content:"Basic"; within:50; nocase; http_header;

pcre:"/Âuthorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smiH";
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Samba SWAT Authorization port 901 overflow attempt";
flow:to_server,established; content:"Authorization|3A| Basic"; nocase;
pcre:"/Âuthorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smi";
rev:13;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_grouped_column buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_grouped_column";
nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_master_repgroup";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community; classtype:attempted-user;
sid:2601; rev:7;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_mview_repgroup";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x2
7|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.compare_old_values buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.compare_old_values";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|
operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repobject";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text";
nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.cancel_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.cancel_statistics";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE LINK metadata buffer overflow attempt";
flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE";
nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000})|
(\x22[^\x22]{1000}))/Rmsi"; metadata:ruleset community;
reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow
attempt"; flow:to_server,established;
content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|
userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE time_zone buffer overflow attempt"; flow:to_server,established;
content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]
{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community;
reference:url,www.nextgenss.com/advisories/ora_time_zone.txt;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow
content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|
userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt";
content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,}))/si"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_master_repobject";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow
content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset
community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow
content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.send_old_values buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.send_old_values";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|
operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.repcat_import_check buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.repcat_import_check";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt";
content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_master_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_master_repobject";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x2
2]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|
false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow
content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase;
pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset
community; classtype:attempted-user; sid:2641; rev:6;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt";
content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE from_tz buffer overflow attempt"; flow:to_server,established;
content:"FROM_TZ"; nocase; pcre:"/\
(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]
{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; metadata:ruleset community;
reference:url,www.nextgenss.com/advisories/ora_from_tz.txt;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow
content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVERORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow
attempt"; flow:to_server,established; content:"connect_data"; nocase;
content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|
29|"; within:1000; metadata:ruleset community; reference:cve,2002-0965;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE user name buffer overflow attempt"; flow:to_server,established;
content:"connect_data"; nocase; content:"|28|user="; nocase;
isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset
reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt";
flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL";
distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\
(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi";
metadata:ruleset community; reference:bugtraq,9587; reference:cve,20031208; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt;
reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.begin_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2652; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP PHPNuke Forum viewtopic SQL insertion attempt";
flow:to_server,established; content:"/modules.php"; nocase; http_uri;
content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only;
pcre:"/forum=.*'/"; metadata:ruleset community, service http;
rev:10;)
JetAdmin ExecuteFile admin access"; flow:to_server,established;
content:"/plugins/framework/script/content.hts"; fast_pattern:only;
content:"ExecuteFile"; nocase; metadata:ruleset community;
reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2
Client_Hello Challenge Length overflow attempt";
flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello;
content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0;
byte_test:2,>,32,9; metadata:ruleset community, service ssl;

# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2
Client_Hello with pad Challenge Length overflow attempt";
flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello;
content:"|01 00 02|"; depth:3; offset:2; byte_test:2,>,32,9;
metadata:ruleset community, service ssl; classtype:attempted-admin;
sid:2657; rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Ipswitch WhatsUpGold instancename overflow attempt";
flow:to_server,established; content:"/_maincfgret.cgi";
fast_pattern:only; http_uri; content:"instancename="; nocase; http_uri;
isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/Usmi";
rev:16;)
format string attempt"; flow:established,to_server; content:"LOGIN";
fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset
community, service imap; reference:bugtraq,10976; reference:cve,20040777; classtype:attempted-admin; sid:2664; rev:12;)
literal format string attempt"; flow:established,to_server;
content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}
[\r]?\n[^\n]*?%/smi"; metadata:ruleset community, service imap;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS
format string attempt"; flow:to_server,established; content:"PASS";
fast_pattern:only; pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:ruleset
community, service pop3; reference:bugtraq,10976; reference:cve,20040777; classtype:attempted-admin; sid:2666; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS ping.asp access"; flow:to_server,established; content:"/ping.asp";
rev:14;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP processit access"; flow:to_server,established;
content:"/processit.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP ibillpm.pl access"; flow:to_server,established;
content:"/ibillpm.pl"; fast_pattern:only; http_uri; metadata:ruleset
rev:15;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP pgpmail.pl access"; flow:to_server,established;
content:"/pgpmail.pl"; fast_pattern:only; http_uri; metadata:ruleset

rev:10;)
(msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer
overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp;
file_data; content:"BM"; byte_test:4,>,2147480000,8,relative,little;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP sresult.exe access"; flow:to_server,established;
content:"/sresult.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:bugtraq,10837; reference:cve,20042528; reference:nessus,14186; classtype:web-application-activity;
sid:2672; rev:10;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIMAGE libpng tRNS overflow attempt"; flow:to_client,established;
flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|";
content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0;
byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_delete_resolution";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt";
content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE ctx_output.start_log buffer overflow attempt";
flow:to_server,established; content:"ctx_output.start_log"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|
logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_system.ksdwrt buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|
tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt";
flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt";
flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
sid:2681; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE mdsys.md2.validate_geom buffer overflow attempt";
flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase;
{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|
layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE mdsys.md2.sdo_code_size buffer overflow attempt";
flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase;
{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|
layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt";
flow:to_server,established; content:"sys.ltutil.pushdeferredtxns";
{512,}\x27|\x22[^\x22]{512,}\x22)
[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|
repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_rq.add_column";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|
SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt";
content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]
{1024,}|\x22[^\x22]{1024,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){9}(\x27[^\x27]
reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,20041363; reference:cve,2004-1364; reference:cve,2004-1365;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.validate buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_internal_repcat.validate";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]
sid:2687; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow
content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow
content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase;
gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow
content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|
dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow
content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|
destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt";
content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow
content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow
content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]
{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow
content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase;
{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|
qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl.is_master";
{1024,}\x27|\x22[^\x22]{1024,}\x22)
[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|
CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE alter file buffer overflow attempt"; flow:to_server,established;
content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?
(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE create file buffer overflow attempt"; flow:to_server,established;
content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?
(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established;
content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\
(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi";
metadata:ruleset community; reference:bugtraq,10871; reference:cve,20041364; classtype:attempted-user; sid:2699; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus sid overflow attempt"; flow:to_server,established;
content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si";
reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,20041370; reference:cve,2004-1371;
reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus username overflow attempt";
flow:to_server,established; content:"/isqlplus"; nocase; http_uri;
pcre:"/username=[^&\x3b\r\n]{255}/si"; metadata:ruleset community,
reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,20041371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle iSQLPlus login.uix username overflow attempt";
flow:to_server,established; content:"/login.uix"; nocase; http_uri;
pcre:"/username=[^&\x3b\r\n]{250}/smi"; metadata:ruleset community,

# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP Oracle 10g iSQLPlus login.unix connectID overflow attempt";
flow:to_server,established; content:"/login.uix"; nocase; http_uri;
content:"connectID="; nocase; isdataat:255,relative;
pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; metadata:ruleset community,
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE
Microsoft Multiple Products JPEG parser heap overflow attempt";
flow:to_client,established; content:"Content-Type"; nocase; http_header;
content:"image/"; nocase; http_header; pcre:"/^ContentType\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2;
fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR";
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIMAGE JPEG parser multipacket heap overflow attempt";
flow:to_client,established; flowbits:isset,file.jpeg; file_data;
content:"|00 48 00 00 FF|"; fast_pattern:only;
pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt";
content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\
community; reference:url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html; classtype:attempted-user; sid:2708; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.begin_instantiation buffer overflow attempt";
content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.end_flavor_change buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_flavor_change";
nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si";
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.end_instantiation buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_instantiation";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.end_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_og.end_load"; nocase;
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt";
content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_snapshot.begin_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.begin_load";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_offline_snapshot.end_load buffer overflow attempt";
flow:to_server,established; content:"dbms_offline_snapshot.end_load";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_rectifier_diff.differences buffer overflow attempt";
flow:to_server,established; content:"dbms_rectifier_diff.differences";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|
missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|
missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_rectifier_diff.rectify buffer overflow attempt";
flow:to_server,established; content:"dbms_rectifier_diff.rectify";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|
missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|
missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt";
content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt";
content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_object_to_flavor";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_char";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_date";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_nchar";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_number";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_raw buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_raw";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_priority_varchar2";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_site_priority_site buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_site_priority_site";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_unique_resolution";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.add_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.add_update_resolution";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_master_propagation buffer overflow attempt";
content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt";
content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_char";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_date";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_nchar";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_number";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt";
content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_raw buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority_raw";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase;
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt";
content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt";
content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.alter_site_priority";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt";
content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt";
content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt";
content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_column_group buffer overflow attempt";
content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt";
content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt";
content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|
gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt";
content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repgroup";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_repsites buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.comment_on_repsites";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt";
content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt";
content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt";
content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_master_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_master_repgroup";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_master_repobject buffer overflow attempt";
content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt";
content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|
fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_column_group";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_priority_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_priority_group";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.define_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.define_site_priority";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt";
content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow
content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_column_group";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt";
content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_delete_resolution";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_grouped_column buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_grouped_column";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_mview_repobject";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt";
content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_char buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_char";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_date buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_date";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_nchar";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_number buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_number";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt";
content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_raw buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_raw";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase;
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt";
content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_site_priority buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_site_priority";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt";
content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_unique_resolution";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.drop_update_resolution buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.drop_update_resolution";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.execute_ddl buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase;
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_replication_package buffer overflow attempt";
content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_instantiate.instantiate_online buffer overflow
content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.make_column_group buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.make_column_group";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt";
content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt";
content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt";
content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_master_log buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.purge_master_log";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.purge_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.purge_statistics";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt";
content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt";
content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt";
content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.register_statistics buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.register_statistics";
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.relocate_masterdef buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.relocate_masterdef";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt";
content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.resume_master_activity buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.resume_master_activity";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)
[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt";
content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|
(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt";
content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.set_columns buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.set_columns"; nocase;
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.set_local_flavor buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.set_local_flavor";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.specify_new_masters buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.specify_new_masters";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.suspend_master_activity buffer overflow attempt";
content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt";
content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt";
content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt";
content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt";
content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt";
content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow
content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow
content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase;
pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow
content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer
overflow attempt"; flow:to_server,established;
content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow
content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt";
content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\
(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow
content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow
content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/
(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow
content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|
type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt";
content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt";
content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow
content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow
content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow
content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt";
content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow
content:"sys.dbms_repcat_mas.generate_replication_package"; nocase;
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt";
content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt";
content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow
content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow
content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow
content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow
content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase;
{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase;
{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|
(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/

((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow
content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase;
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|
(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase;
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase;
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow
content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer
content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase;
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow
content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|
type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object";
nocase; pcre:"/(\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_mview_repobject buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.create_mview_repobject";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|
gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt";
content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|
oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_mview_support buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.generate_mview_support";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt";
content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt";
content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|
type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.remove_master_databases buffer overflow attempt";
content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.switch_mview_master buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.switch_mview_master";
{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt";
flow:to_server,established; content:"dbms_repcat.switch_snapshot_master";
{1073,}\x27|\x22[^\x22]{1073,}\x22)
{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow
content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt";
content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt";
content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt";
content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt";
content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow
content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt";
content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow
content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow
content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow
content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow
content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt";
content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt";
content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow
content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow
content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow
content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt";
content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt";
content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow
content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow
content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt";
content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt";
content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow
content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase;
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow
content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow
content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow
content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase;
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow
content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase;
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow
content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow
content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow
content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt";
content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt";
content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt";
content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow
content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow
content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt";
content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt";
flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority";
{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow
content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow
content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt";
content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow
content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow
content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt";
content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt";
content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow
content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|
(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow
content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)
[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow
content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|
sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow
content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow
content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow
content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow
content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt";
content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt";
content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)
[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)
[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|
gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]
{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow
content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow
content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase;
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow
content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow
content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/
((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]
{1075,}|\x22[^\x22]{1075,})|\
(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVERORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer
content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase;
gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP
inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP
inverse query"; flow:to_server,established; byte_test:1,<,16,4;
byte_test:1,&,8,4; metadata:ruleset community, service dns;
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated
logon failure"; flow:to_client,established; content:"|FF|SMBs"; depth:5;
offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track
by_dst,count 10,seconds 60; metadata:ruleset community;
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS
repeated logon failure"; flow:to_client,established; content:"|FF|SMBs";
depth:5; offset:4; content:"m|00 00 C0|"; within:4;
detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset
community, service netbios-ssn; classtype:unsuccessful-user; sid:2924;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP PhpGedView PGV base directory manipulation";
flow:to_server,established; content:"_conf.php"; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft
Windows XPAT pattern overflow attempt"; flow:to_server,established;
content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?
PAT\s+[^\n]{160}/i"; metadata:ruleset community; reference:cve,2004-0574;
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS
DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt";
flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|";
depth:256; offset:12; metadata:ruleset community, service netbios-ssn;
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC
NCACN-IP-TCP winreg InitiateSystemShutdown attempt";
flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa900038001003; dce_opnum:24; metadata:ruleset community, service netbiosssn; reference:url,msdn.microsoft.com/library/default.asp?
url=/library/en-us/shutdown/base/initiatesystemshutdown.asp;
Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs";
within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";
Session Setup NTLMSSP andx asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB";
within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39;
byte_jump:2,0,little,relative;
Session Setup NTLMSSP unicode andx asn1 overflow attempt";
Session Setup NTLMSSP unicode asn1 overflow attempt";
flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs";
within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R";

Session Setup NTLMSSP andx asn1 overflow attempt";
byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39;
Session Setup NTLMSSP unicode andx asn1 overflow attempt";
# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER
Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|
00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:ruleset
community; reference:bugtraq,9785; classtype:misc-attack; sid:3006;
rev:6;)
command overflow attempt"; flow:established,to_server; content:"LOGIN";
isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|
EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|
UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:ruleset community, service imap;
reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,20041211; reference:cve,2005-0707; reference:cve,2005-1520;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete
literal overflow attempt"; flow:established,to_server; content:"DELETE";
fast_pattern:only; pcre:"/\sDELETE\s[^\n]*?\{/smi";
NetBus Pro 2.0 connection request"; flow:to_server,established;
content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8;
flowbits:set,backdoor.netbus_2.connect; flowbits:noalert;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX
the Tick get windows directory"; flow:to_server,established;
content:"WINDIR"; depth:6; metadata:policy security-ips drop, ruleset
the Tick get system directory"; flow:to_server,established;
content:"SYSDIR"; depth:6; metadata:policy security-ips drop, ruleset
the Tick upload/execute arbitrary file"; flow:to_server,established;
content:"ABCJZDATEIV"; depth:11; metadata:policy security-ips drop,
ruleset community; classtype:misc-activity; sid:3012; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"MALWARE-CNC Asylum
0.1 connection request"; flow:to_server,established; content:"RQS";
depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert;
# alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum
0.1 connection"; flow:to_client,established;
flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3;
metadata:policy security-ips drop, ruleset community; classtype:miscactivity; sid:3014; rev:9;)
# alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane
Network 4.0 connection"; flow:to_client,established; content:"Insane
Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|";
depth:62; metadata:policy security-ips drop, ruleset community;
# alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane
Network 4.0 connection port 63536"; flow:to_client,established;
content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A
0D|[r00t]|23|"; depth:62; metadata:policy security-ips drop, ruleset
Windows WINS overflow attempt"; flow:to_server,established;
byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6;
byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|
[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s
"; metadata:ruleset community, service wins; reference:bugtraq,11763;
reference:url,www.immunitysec.com/downloads/instantanea.pdf;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans
NT CREATE oversized Security Descriptor attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|
A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.
{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,15,little,relative,from_beginning; pcre:"/^.{4}/R";
byte_test:4,>,1024,36,relative,little; metadata:ruleset community;
reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018;
rev:6;)
NT CREATE andx oversized Security Descriptor attempt";
flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB";

within:4; distance:3;
&,128,6,relative; content:"|A0|"; depth:1; offset:39;
byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37;
byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R";
rev:8;)
NT CREATE unicode oversized Security Descriptor attempt";
A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.
rev:6;)
NT CREATE unicode andx oversized Security Descriptor attempt";
byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT
Trans NT CREATE oversized Security Descriptor attempt";
A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.
byte_test:4,>,1024,36,relative,little; metadata:ruleset community,
service netbios-ssn; reference:cve,2004-1154; classtype:protocol-commanddecode; sid:3022; rev:7;)
Trans NT CREATE andx oversized Security Descriptor attempt";
Trans NT CREATE unicode oversized Security Descriptor attempt";
{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-
15,little,relative,from_beginning; pcre:"/^.{4}/R";
Trans NT CREATE unicode andx oversized Security Descriptor attempt";
NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!
&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2;
distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.
{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12;
byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little;
metadata:ruleset community; reference:cve,2004-1154; classtype:protocolcommand-decode; sid:3026; rev:6;)
NT CREATE andx SACL overflow attempt"; flow:established,to_server;
content:!"|00 00 00 00|"; within:4; distance:12;
NT CREATE unicode SACL overflow attempt"; flow:established,to_server;
content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3;
byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|";
within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning;
pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12;
NT CREATE unicode andx SACL overflow attempt";

Trans NT CREATE SACL overflow attempt"; flow:established,to_server;
byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|";
metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154;
Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server;
Trans NT CREATE unicode SACL overflow attempt";
{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little;
byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service
netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode;
sid:3032; rev:7;)
Trans NT CREATE unicode andx SACL overflow attempt";
NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|
NT CREATE andx DACL overflow attempt"; flow:established,to_server;
NT CREATE unicode DACL overflow attempt"; flow:established,to_server;
NT CREATE unicode andx DACL overflow attempt";
Trans NT CREATE DACL overflow attempt"; flow:established,to_server;
Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server;
Trans NT CREATE unicode DACL overflow attempt";

{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little;
byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service
netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode;
sid:3040; rev:5;)
Trans NT CREATE unicode andx DACL overflow attempt";
NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|
byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:10; metadata:ruleset community; classtype:protocol-command-decode;
sid:3042; rev:4;)
NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless;
sid:3043; rev:4;)
NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless;
sid:3044; rev:4;)
NT CREATE unicode andx invalid SACL ace size dos attempt";
flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4;
distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";

sid:3045; rev:4;)
Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless;
byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:10; metadata:ruleset community, service netbios-ssn; classtype:protocolcommand-decode; sid:3046; rev:5;)
Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless;
Trans NT CREATE unicode invalid SACL ace size dos attempt";
flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5;
distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01
00|"; within:2; distance:37; byte_jump:4,7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00
00|"; within:2; distance:-10; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3048; rev:5;)
Trans NT CREATE unicode andx invalid SACL ace size dos attempt";
NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|
byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-
10; metadata:ruleset community; classtype:protocol-command-decode;

sid:3050; rev:4;)
NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless;
sid:3051; rev:4;)
NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless;
sid:3052; rev:4;)
NT CREATE unicode andx invalid SACL ace size dos attempt";
sid:3053; rev:4;)
Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless;
Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless;

Trans NT CREATE unicode invalid SACL ace size dos attempt";
flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5;
distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01
00|"; within:2; distance:37; byte_jump:4,7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00
00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00
00|"; within:2; distance:-10; metadata:ruleset community, service
netbios-ssn; classtype:protocol-command-decode; sid:3056; rev:5;)
Trans NT CREATE unicode andx invalid SACL ace size dos attempt";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP copy
literal overflow attempt"; flow:established,to_server; content:"COPY";
fast_pattern:only; pcre:"/\sCOPY\s[^\n]*?\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"APP-DETECT distccd
remote command execution attempt"; flow:to_server,established;
content:"DIST00000001"; depth:12; nocase; metadata:ruleset community;
reference:url,distcc.samba.org/security.html; classtype:policy-violation;
sid:3061; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP NetScreen SA 5000 delhomepage.cgi access";
flow:to_server,established; content:"/delhomepage.cgi";
Vampire 1.2 connection request"; flow:to_server,established;
content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect;
flowbits:noalert; metadata:ruleset community; classtype:misc-activity;
sid:3063; rev:6;)
Vampire 1.2 connection confirmation"; flow:to_client,established;
flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server
On-Line....."; depth:32; metadata:policy security-ips drop, ruleset
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append
literal overflow attempt"; flow:established,to_server; content:"APPEND";
fast_pattern:only; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append

overflow attempt"; flow:established,to_server; content:"APPEND"; nocase;
isdataat:256,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; metadata:ruleset
reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,20066425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:14;)
examine literal overflow attempt"; flow:established,to_server;
content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch
literal overflow attempt"; flow:established,to_server; content:"FETCH";
fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi";
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch
overflow attempt"; flow:established,to_server; content:"FETCH"; nocase;
isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:ruleset
community, service imap; reference:bugtraq,11775; reference:cve,20041211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status
literal overflow attempt"; flow:established,to_server; content:"STATUS";
fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi";
sid:3071; rev:13;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status
overflow attempt"; flow:established,to_server; content:"STATUS"; nocase;
isdataat:100,relative; pcre:"/\sSTATUS[^\n]{100}/smi"; metadata:ruleset
SUBSCRIBE literal overflow attempt"; flow:established,to_server;
content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\
{/smi"; byte_test:5,>,256,0,relative,string; metadata:ruleset community,
SUBSCRIBE overflow attempt"; flow:established,to_server;
content:"SUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]
{100}/smi"; metadata:ruleset community, service imap;

unsubscribe literal overflow attempt"; flow:established,to_server;
content:"UNSUBSCRIBE"; fast_pattern:only;
pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi";
UNSUBSCRIBE overflow attempt"; flow:established,to_server;
content:"UNSUBSCRIBE"; nocase; isdataat:100;
pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset community,
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR
overflow attempt"; flow:to_server,established; content:"RNFR"; nocase;
isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset
community, service ftp; reference:bugtraq,14339; classtype:attemptedadmin; sid:3077; rev:9;)
Microsoft Windows SEARCH pattern overflow attempt";
flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase;
isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:ruleset
community; reference:cve,2004-0574;
(msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer
overflow attempt"; flow:to_client,established; flowbits:isset,file.ani;
file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4;
content:"anih"; distance:0; nocase; byte_test:4,>,36,0,relative,little;
service pop3; reference:cve,2004-1049; reference:cve,2007-0038;
reference:cve,2007-1765; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-002; reference:url,technet.microsoft.com/enus/security/bulletin/MS07-017; classtype:attempted-user; sid:3079;
rev:24;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal
Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|
5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi";
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected";
depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert;
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR
Y3KRAT 1.5 Connect Client Response"; flow:to_server,established;
flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9;
flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert;
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR

Y3KRAT 1.5 Connection confirmation"; flow:to_client,established;
flowbits:isset,backdoor.y3krat_15.client.response; content:"client";
depth:7; metadata:policy balanced-ips drop, policy connectivity-ips drop,
policy security-ips drop, ruleset community; classtype:misc-activity;
sid:3083; rev:9;)
Veritas backup overflow attempt"; flow:to_server,established; content:"|
02 00|"; depth:2; content:"|00|"; within:1; distance:1; isdataat:72;
content:!"|00|"; depth:66; offset:6; metadata:ruleset community;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER
AOL Instant Messenger goaway message buffer overflow attempt";
flow:to_client,established; file_data; content:"aim|3A|goaway?message=";
pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]
{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|
aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community,
reference:url,osvdb.org/show/osvdb/8398; classtype:misc-attack; sid:3085;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access
attempt"; flow:to_server,established; content:"/app_sta.stm";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS
w3who.dll buffer overflow attempt"; flow:to_server,established;
content:"/w3who.dll?"; nocase; http_uri; pcre:"/w3who\.dll\x3F[^\r\n]
{519}/i"; metadata:ruleset community, service http;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILEMULTIMEDIA Nullsoft Winamp cda file name overflow attempt";
flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/
(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset
community, service http; reference:bugtraq,11730; reference:cve,20041119; reference:nessus,15817; classtype:attempted-user; sid:3088;
rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid
WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00
00 08|"; depth:4; byte_test:4,>,32,16; metadata:ruleset community;
DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt";
flow:to_server,established; dce_iface:342cfd40-3c6c-11ce-a89308002b2e9c6d; dce_opnum:0; dce_stub_data; byte_test:4,>,52,0,dce;
reference:cve,2005-0050; reference:url,technet.microsoft.com/enus/security/bulletin/ms05-010; classtype:attempted-admin; sid:3114;
rev:18;)
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft

MSN Messenger png overflow"; flow:to_client,established;
content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A
0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|";
within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,8,relative,big; metadata:ruleset community; reference:bugtraq,10872;
reference:cve,2004-0957; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-009; classtype:attempted-user; sid:3130;
rev:8;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP mailman directory traversal attempt"; flow:to_server,established;
content:"/mailman/"; http_uri; content:".../"; http_raw_uri;
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIMAGE Microsoft and libpng multiple products PNG large image width
overflow attempt"; flow:to_client,established; flowbits:isset,file.png;
file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8;
byte_test:4,>,32767,0,relative; metadata:ruleset community, service ftpdata, service http, service imap, service pop3; reference:bugtraq,11523;
reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,20075503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/;
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIMAGE Microsoft Multiple Products PNG large image height download
attempt"; flow:to_client,established; flowbits:isset,file.png; file_data;
content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8;
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEIMAGE Microsoft PNG large colour depth download attempt";
flow:to_client,established; flowbits:isset,file.png; file_data;
QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|";
depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R";
content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2;
flowbits:noalert; metadata:ruleset community, service netbios-ssn;
QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2";
depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|";
within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert;

metadata:ruleset community, service netbios-ssn; classtype:protocolcommand-decode; sid:3136; rev:8;)
Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|
00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.
{27}/R"; content:"|07 00|"; within:2; distance:29;
flowbits:set,smb.trans2; flowbits:noalert; metadata:ruleset community,
service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:8;)
Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server;
FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|";
FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|";
Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|";
Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS SMB
Trans2 FIND_FIRST2 command response overflow attempt";
flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|";
flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little;
metadata:ruleset community; reference:bugtraq,12484; reference:cve,20050045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05011; classtype:protocol-command-decode; sid:3143; rev:15;)
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS SMB

Trans2 FIND_FIRST2 response andx overflow attempt";
depth:1; offset:39; byte_jump:2,0,little,relative;
metadata:ruleset community; reference:bugtraq,12484; reference:cve,20050045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05011; classtype:protocol-command-decode; sid:3144; rev:15;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS SMB-DS
Trans2 FIND_FIRST2 response overflow attempt";
reference:cve,2005-0045; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-011; classtype:protocol-command-decode;
sid:3145; rev:14;)
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS SMB-DS
Trans2 FIND_FIRST2 response andx overflow attempt";
depth:1; offset:39; byte_jump:2,0,little,relative;
reference:cve,2005-0045; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-011; classtype:protocol-command-decode;
sid:3146; rev:16;)
login buffer overflow attempt"; flow:to_server,established;
flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|";
fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:ruleset
community, service telnet; reference:bugtraq,3681; reference:cve,20010797; reference:nessus,10827; classtype:attempted-admin; sid:3147;
rev:13;)
Microsoft Windows HTML Help hhctrl.ocx clsid access attempt";
flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf9377-00aa003b7a11"; fast_pattern:only; metadata:ruleset community,
reference:cve,2004-1043; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-055; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-001;
reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-IE
Microsoft Internet Explorer 5/6 object type overflow attempt";
flow:to_client,established; file_data; content:"<OBJECT"; nocase;
pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; metadata:ruleset
SQLXML content type overflow"; flow:to_server,established;
pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri;
pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:ruleset
reference:nessus,11304; reference:url,technet.microsoft.com/enus/security/bulletin/MS02-030;
reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER /
execution attempt"; flow:to_server,established; content:"/";
pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612;
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute
force failed login attempt"; flow:to_client,established; content:"Login
failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src,
count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797;
reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessfuluser; sid:3152; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP
inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4;
byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns;
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP
inverse query overflow"; flow:to_server; isdataat:400;
byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:ruleset community,
service dns; reference:bugtraq,134; reference:cve,1999-0009;
BackOrifice 2000 Inbound Traffic"; flow:to_server,established;
content:"1j|D0 D9|"; metadata:policy security-ips drop, ruleset
community; classtype:trojan-activity; sid:3155; rev:6;)
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
CoGetInstanceFromFile attempt"; flow:to_server,established;
dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1;
dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C
00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset
community, service netbios-ssn; reference:cve,2003-0715;
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS
DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt";
community, service dcerpc; reference:cve,2003-0715;
DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt";
dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4;
dce_stub_data; byte_test:4,>,128,8,dce; metadata:ruleset community,
service dcerpc; reference:cve,2005-0059;
Microsoft Windows Media Player directory traversal via ContentDisposition attempt"; flow:to_client,established; content:".wmz";
fast_pattern; nocase; http_header; content:"Content-Disposition|3A|";
nocase; http_header; content:"filename="; nocase; http_header;
pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x2
5\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset
rev:19;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .cmd executable file parsing attack"; flow:to_server,established;
content:".cmd|22|"; nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi";
rev:17;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERIIS .bat executable file parsing attack"; flow:to_server,established;
content:".bat|22|"; nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi";
rev:16;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name
query overflow attempt TCP"; flow:to_server,established;
byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative;
metadata:ruleset community, service netbios-ns; reference:bugtraq,9624;
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name
query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12;
isdataat:56,relative; metadata:ruleset community, service netbios-ns;
Windows WINS name query overflow attempt TCP"; flow:established;
metadata:ruleset community; reference:bugtraq,9624; reference:cve,20030825; reference:nessus,15912; reference:url,technet.microsoft.com/enus/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199;
rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft
Windows WINS name query overflow attempt UDP"; flow:to_server;
metadata:ruleset community; reference:bugtraq,9624; reference:cve,20030825; reference:nessus,15912; reference:url,technet.microsoft.com/en-
us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200;

rev:12;)
httpodbc.dll access - nimda"; flow:to_server,established;
content:"/httpodbc.dll"; nocase; http_uri; metadata:ruleset community,
DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt";
flow:to_server,established; dce_iface:338cd001-2244-31f1-aaaa900038001003; dce_opnum:15; dce_stub_data; byte_test:2,>,1024,20,dce;
reference:cve,2000-0377; reference:url,technet.microsoft.com/enus/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218;
rev:23;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger
message little endian overflow attempt"; content:"|04 00|"; depth:2;
byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|
O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2;
distance:28; byte_jump:4,18,little,align,relative;
byte_test:4,>,1024,8,little,relative; metadata:ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger
message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!
&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|";
within:16; distance:22; content:"|00 00|"; within:2; distance:28;
byte_jump:4,18,align,relative; byte_jump:4,8,align,relative;
byte_test:4,>,1024,8,relative; metadata:ruleset community;
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OSWINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt";
flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa100006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.
{12})/s"; byte_jump:4,-4,relative,align,dce;
byte_test:4,>,1024,0,relative,dce; metadata:ruleset community;
DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt";
dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2;
dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute
force failed login unicode attempt"; flow:to_client,established;
content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |
00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|";
detection_filter:track by_src, count 5, seconds 2; metadata:ruleset

reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:8;)
login buffer non-evasive overflow attempt"; flow:to_server,established;
flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes;
pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt;
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
RemoteCreateInstance attempt"; flow:to_server,established;
community, service netbios-ssn; reference:bugtraq,8205;
DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt";
community, service dcerpc; reference:bugtraq,8205; reference:cve,20030352; reference:cve,2003-0715; reference:url,technet.microsoft.com/enus/security/bulletin/MS03-026; reference:url,technet.microsoft.com/enus/security/bulletin/MS03-039; classtype:protocol-command-decode;
sid:3398; rev:16;)
(msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation
overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data;
byte_test:4,>,256,52,dce; metadata:ruleset community, service dcerpc,
service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT
bounce attempt"; flow:to_server,established; content:"PORT"; nocase;
ftpbounce; pcre:"/^PORT/smi"; metadata:ruleset community, service ftp;
Windows TCP print service overflow attempt"; flow:to_server,established;
pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|";
within:497; metadata:ruleset community; reference:bugtraq,1082;
reference:cve,2000-0232; reference:url,technet.microsoft.com/enus/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442;
rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia
client backup system info probe"; flow:to_server,established;
content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri";
metadata:ruleset community; reference:bugtraq,12594; reference:cve,20050491; classtype:attempted-recon; sid:3453; rev:8;)
client backup generic info probe"; flow:to_server,established;
content:"ARKFS|00|root|00|root"; fast_pattern:only; metadata:ruleset
Bontago Game Server Nickname buffer overflow";
flow:to_server,established; content:"|FF 01 00 00 00 00 01|";
isdataat:512,relative; metadata:ruleset community;
reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt;
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL 4.0
root login attempt"; flow:to_server,established; content:"|01|"; depth:1;
offset:3; content:"root|00|"; within:5; distance:5; nocase;
metadata:ruleset community, service mysql; classtype:protocol-commanddecode; sid:3456; rev:9;)
backup client type 77 overflow attempt"; flow:to_server,established;
content:"|00|M"; depth:2; byte_test:2,>,23,6; metadata:ruleset community;
backup client type 84 overflow attempt"; flow:to_server,established;
content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|
# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito
Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4;
offset:16; metadata:ruleset community;
reference:url,openlito.sourceforge.net; reference:url,www.blubster.com;
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST
with numeric argument"; flow:to_server,established; content:"REST";
fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community,
service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460;
rev:9;)
Content-Type overflow attempt"; flow:to_server,established;
content:"Content-Type"; nocase; content:"|3A|"; distance:0;
pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset
reference:cve,2003-0113; reference:url,technet.microsoft.com/enus/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461;
rev:17;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
Microsoft Internet Explorer Content-Encoding overflow attempt";
flow:to_server,established; content:"Content-Encoding"; nocase;
content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]
{300}/mi"; metadata:ruleset community, service smtp;
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP awstats access"; flow:to_server,established;
content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:ruleset
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERWEBAPP awstats.pl command execution attempt"; flow:to_server,established;
content:"/awstats.pl?"; fast_pattern; nocase; http_uri;
content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui";
content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?
[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service http;
reference:bugtraq,12572; reference:nessus,16456; classtype:webapplication-attack; sid:3464; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC
Win.Trojan.Hydraq variant outbound connection";
flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF
FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community, service
ssl;
reference:url,www.virustotal.com/analisis/9051f618a5a8253a003167e65ce1311
fa91a8b70d438a384be48b02e73ba855c-1263878624; classtype:trojan-activity;
sid:16368; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Sality variant outbound connection";
flow:to_server,established; urilen:15<>30,norm; content:".gif?";
fast_pattern:only; http_uri; content:"User-Agent"; http_header;
content:!"Referer"; http_header; content:!"Accept"; http_header;
pcre:"/\.gif\x3f[a-f0-9]{4,7}\x3d\d{6,8}$/U"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community,
service http; reference:url,www.virustotal.com/file-scan/report.html?
id=982e0324c905311b88d59547f55c1dbba9b0568333827a699bb2f32adc6691001250921064; classtype:trojan-activity; sid:19964; rev:9;)
Win.Trojan.Derusbi.A variant outbound connection";
flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7;
offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8;
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, ruleset community; reference:url,www.virustotal.com/filescan/report.html?
id=6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b01314630371; reference:url,www.virustotal.com/file-scan/report.html?
id=705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe1314630371; classtype:trojan-activity; sid:20080; rev:6;)
Win.Trojan.Injector variant outbound connection";
flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|";
fast_pattern:only; http_header; content:"bb.php?v="; http_uri;
content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri;
content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy
http; reference:url,www.virustotal.com/file-scan/report.html?
id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b21303397086; classtype:trojan-activity; sid:20221; rev:6;)

# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win.Trojan.Betad variant outbound connection";
flow:to_server,established; content:"POST"; http_method;
content:"/login.php"; nocase; http_uri; content:"|C9 97 A2 F3 7E 37 CB 7E
27|"; fast_pattern:only; http_client_body; metadata:ruleset community,
service http; reference:url,www.virustotal.com/file-scan/report.html?
id=46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e91324042194; classtype:trojan-activity; sid:21230; rev:7;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user-agent string DataCha0s"; flow:to_server,
established; content:"User-Agent|3A 20|DataCha0s"; fast_pattern:only;
http_header; metadata:ruleset community, service http;
reference:url,www.internetofficer.com/web-robot/datacha0s/;
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BLACKLIST known
malicious FTP login banner - 0wns j0"; flow:established,to_client;
content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase;
drop, ruleset community, service ftp;
reference:url,seclists.org/fulldisclosure/2004/Sep/895;
reference:url,www.cyber-ta.org/releases/malwareanalysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html;
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"BLACKLIST known
malicious FTP quit banner - Goodbye happy r00ting";
flow:established,to_client; content:"221 Goodbye happy r00ting";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service ftp;
reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveriesearlier-today-i.html; classtype:trojan-activity; sid:21256; rev:5;)
URI - known scanner tool muieblackcat"; flow:to_server, established;
content:"/muieblackcat"; nocase; http_uri; pcre:"/\/muieblackcat$/Ui";
metadata:policy security-ips drop, ruleset community, service http;
reference:url,serverfault.com/questions/309309/what-is-muieblackcat;
User-Agent known malicious user-agent string Morfeus Scanner";
flow:to_server, established; content:"User|2D|Agent|3A 20|Morfeus|20|
Fucking|20|Scanner"; fast_pattern:only; http_header; metadata:ruleset
community, service http; classtype:network-scan; sid:21266; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER
TRENDnet IP Camera anonymous access attempt"; flow:to_server,established;
content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/
(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:ruleset
community, service http; reference:url,consolecowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html;
reference:url,www.trendnet.com/press/view.asp?id=1958;
reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/;
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent ASafaWeb Scan"; flow:to_server,established; content:"User-
Agent|3A| asafaweb.com"; fast_pattern:only; http_header; metadata:policy

balanced-ips alert, policy security-ips drop, ruleset community, service
http; reference:url,asafaweb.com; classtype:network-scan; sid:21327;
rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP Remote Execution Backdoor Attempt Against Horde";
flow:to_server,established; content:"/services/javascript.php";
fast_pattern:only; http_uri; content:"href="; http_cookie;
content:"file=open_calendar.js"; http_client_body; metadata:ruleset
reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155;
reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdooranalysis/; reference:url,pastebin.com/U3ADiWrP; classtype:webapplication-attack; sid:21375; rev:7;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILEPDF hostile PDF associated with Laik exploit kit";
flow:to_client,established; flowbits:isset,file.pdf; file_data;
content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>";
fast_pattern:only; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3; classtype:trojan-activity; sid:21417;
rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackhole exploit kit JavaScript carat string splitting with hostile
applet"; flow:to_client,established; content:"<html><body><applet|20|
code="; nocase; content:"|20|archive="; distance:0; nocase;
content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z09]+?\x5e){10}/smi"; metadata:impact_flag red, ruleset community, service
http; reference:cve,2006-0003; reference:cve,2007-5659;
reference:url,community.websense.com/blogs/securitylabs/pages/black-holeexploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:6;)
URI request for known malicious URI - base64 encoded";
flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11;
base64_decode:relative; base64_data; content:"clk="; content:"&bid=";
distance:0; content:"&aid="; within:5; distance:40; content:"&sid=";
distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0;
metadata:impact_flag red, ruleset community, service http;
reference:url,www.damballa.com/tdl4/; classtype:trojan-activity;
sid:21442; rev:5;)
Win.Trojan.TDSS variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)";
fast_pattern:only; http_header; content:"HOST|3A|"; http_header;
content:!"X-BlueCoat-Via"; nocase; http_header; metadata:impact_flag red,
policy security-ips drop, ruleset community, service http;
reference:url,about-threats.trendmicro.com/Malware.aspx?
language=apac&name=TDSS;
reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3
122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity;
sid:21444; rev:12;)
User-Agent known malicious user-agent string core-project";
flow:to_server, established; content:"User-Agent|3A 20|core-project";
fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; classtype:miscactivity; sid:21475; rev:3;)
(msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch"; flow:to_client,established;
content:"prototype"; content:"}catch("; distance:0;
pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:ruleset
reference:url,community.websense.com/blogs/securitylabs/pages/black-holeexploit-kit.aspx; classtype:attempted-user; sid:21492; rev:20;)
Win.Trojan.Bredolab variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"UserAgent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4;
http_client_body; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http;
reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b
7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity;
sid:21562; rev:5;)
(msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch"; flow:to_client,established; file_data;
content:"prototype"; content:"}catch("; distance:0;
pcre:"/prototype([^\x7d]{1,3})?\x7dcatch$\w{3}$/smi"; metadata:ruleset
reference:url,community.websense.com/blogs/securitylabs/pages/black-holeexploit-kit.aspx; classtype:attempted-user; sid:21646; rev:15;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%";
flow:to_server,established; content:"%ALLUSERSPROFILE%";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PROGRAMDATA%";
flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:attemptedrecon; sid:21819; rev:4;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %APPDATA%";
flow:to_server,established; content:"%APPDATA%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES
%"; flow:to_server,established; content:"%COMMONPROGRAMFILES%";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES
- x86%"; flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|
41|%"; fast_pattern:only; http_uri; metadata:ruleset community, service
http; classtype:attempted-recon; sid:21822; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %COMSPEC%";
flow:to_server,established; content:"%COMSPEC%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %HOMEDRIVE%";
flow:to_server,established; content:"%HOMEDRIVE%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %HOMEPATH%";
flow:to_server,established; content:"%HOMEPATH%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %LOCALAPPDATA%";
flow:to_server,established; content:"%LOCALAPPDATA%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PROGRAMFILES%";
flow:to_server,established; content:"%PROGRAMFILES%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PROGRAMFILES X86%"; flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%";
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %SystemDrive%";
flow:to_server,established; content:"%SystemDrive%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %SystemRoot%";
flow:to_server,established; content:"%SystemRoot%"; fast_pattern:only;

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %TEMP%";
flow:to_server,established; content:"%TEMP%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %TMP%";
flow:to_server,established; content:"%TMP%"; fast_pattern:only; http_uri;
sid:21832; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %USERDATA%";
flow:to_server,established; content:"%USERDATA%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %USERNAME%";
flow:to_server,established; content:"%USERNAME%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %USERPROFILE%";
flow:to_server,established; content:"%USERPROFILE%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %WINDIR%";
flow:to_server,established; content:"%WINDIR%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PUBLIC%";
flow:to_server,established; content:"%PUBLIC%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable directory traversal attempt - %PSModulePath%";
flow:to_server,established; content:"%PSModulePath%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %COMPUTERNAME%";
flow:to_server,established; content:"%COMPUTERNAME%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %LOGONSERVER%";
flow:to_server,established; content:"%LOGONSERVER%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PATH%";
flow:to_server,established; content:"%PATH%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PATHEXT%";
flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %PROMPT%";
flow:to_server,established; content:"%PROMPT%"; fast_pattern:only;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP System variable in URI attempt - %USERDOMAIN%";
flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only;
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
TDS Sutra - redirect received"; flow:to_client,established;
content:"_0000="; fast_pattern; content:"SL_"; http_cookie;
content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy
security-ips drop, ruleset community, service http;
reference:url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js;
reference:url,www.nartv.org/tag/tds/;
reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html;
TDS Sutra - request in.cgi"; flow:to_server,established;
content:"/in.cgi?"; http_uri; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui";
metadata:impact_flag red, policy security-ips drop, ruleset community,
service http; reference:url,wepawet.iseclab.org/view.php?
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWAREOTHER TDS Sutra - page redirecting to a SutraTDS";
flow:to_client,established; file_data; content:"/in.cgi?";
isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&";
within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|
default)\b/smi"; metadata:impact_flag red, policy security-ips drop,
ruleset community, service http;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWAREOTHER TDS Sutra - HTTP header redirecting to a SutraTDS";
flow:to_client,established; content:"/in.cgi"; http_header;
pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red,

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
TDS Sutra - request hi.cgi"; flow:to_server,established;
content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy securityips drop, ruleset community, service http;
TDS Sutra - redirect received"; flow:to_client,established;
content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain=";
within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag
red, policy security-ips drop, ruleset community, service http;
Alureon - Malicious IFRAME load attempt"; flow:to_client,established;
file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C
22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C
22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only;
metadata:policy balanced-ips alert, policy security-ips drop, ruleset
community, service http; classtype:trojan-activity; sid:22061; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP
PHP-CGI remote file include attempt"; flow:to_server,established;
content:"auto_prepend_file"; http_uri; metadata:policy balanced-ips drop,
rev:9;)
# alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain murik.portal-protection.net.ru - Mal/Rimecud-R";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|murik|11|portalprotection|03|net|02|ru|00|"; fast_pattern:only; metadata:impact_flag
red, ruleset community, service dns; reference:url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Mal~RimecudR/detailed-analysis.aspx; classtype:trojan-activity; sid:22957; rev:3;)
malware domain slade.safehousenumber.com - Mal/Rimecud-R";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|slade|0F|
safehousenumber|03|com|00|"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service dns; reference:url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Mal~RimecudR/detailed-analysis.aspx; classtype:trojan-activity; sid:22958; rev:3;)
malware domain world.rickstudio.ru - Mal/Rimecud-R"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|world|0A|rickstudio|02|ru|00|";
fast_pattern:only; metadata:impact_flag red, ruleset community, service
dns; reference:url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Mal~Rimecud-R/detailed-analysis.aspx;
malware domain portal.roomshowerbord.com - Mal/EncPk-ADU";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|portal|0E|
roomshowerbord|03|com|00|"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service dns;
reference:url,www.threatexpert.com/report.aspx?
md5=d3d6f87d8f8e3dd5c2793d5a1d3ca7ca; classtype:trojan-activity;
sid:22960; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE script before DOCTYPE possible malicious redirect attempt";
flow:to_client,established; file_data; content:"</script><!DOCTYPE";
(msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call";
flow:established,to_client; file_data; content:"setTimeout|28|"; nocase;
content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase;
pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]
{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data,
service http, service imap, service pop3; classtype:bad-unknown;
sid:23481; rev:4;)
(msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener
call"; flow:established,to_client; file_data; content:"addEventListener|
28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x";
within:10; nocase; pcre:"/addEventListener\x28[\x22\x27]
[^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi";
service pop3; classtype:bad-unknown; sid:23482; rev:4;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC
Win.Trojan.ZeroAccess outbound communication"; flow:to_server; dsize:20;
content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6
463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity;
sid:23492; rev:4;)
(msg:"INDICATOR-OBFUSCATION known packer routine with secondary
obfuscation"; flow:to_client,established; file_data;
content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; content:"|7C|
fromCharCode|7C|"; nocase; content:"|7C|charCodeAt|7C|"; distance:0;
nocase; content:"|7C|eval|7C|"; distance:0; nocase; metadata:ruleset
reference:url,dean.edwards.name/packer/; classtype:misc-activity;
sid:23621; rev:6;)
(msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears
obfuscated - likely packer or encoder"; flow:to_client,established;

file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|";
fast_pattern:only; metadata:ruleset community, service ftp-data, service
http, service imap, service pop3;
reference:url,labs.snort.org/docs/23636.txt; classtype:trojan-activity;
sid:23636; rev:8;)
Win.Trojan.Magania variant outbound connection";
flow:to_server,established; content:"User-Agent: Google page|0D 0A|";
fast_pattern:only; http_header; content:".asp?"; http_uri;
content:"mac="; within:4; http_uri; content:"&ver="; distance:0;
http_uri; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposedpart-i-pinkstats.html;
reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a
0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity;
sid:24015; rev:6;)
Possible malicious redirect - rebots.php"; flow:to_server,established;
content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy
http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascriptmalware-being-actively-injected.html;
reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots;
# alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain api.wipmania.com - Troj.Dorkbot-AO";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|api|08|wipmania|03|
com"; fast_pattern:only; metadata:impact_flag red, ruleset community,
service dns; reference:url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Troj~Dorkbot-AO/detailed-analysis.aspx;
for known malware domain lolcantpwnme.net - W32.DorkBot-S";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|lolcantpwnme|03|net|
00|"; fast_pattern:only; metadata:impact_flag red, ruleset community,
service dns; reference:url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/W32~DorkBot-S/detailed-analysis.aspx;
for known malware domain rewt.ru - W32.DorkBot-S"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|rewt|02|ru|00|"; fast_pattern:only;
metadata:impact_flag red, ruleset community, service dns;
reference:url,www.sophos.com/en-us/threat-center/threat-analyses/virusesand-spyware/W32~DorkBot-S/detailed-analysis.aspx; classtype:trojanactivity; sid:24033; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request
for known malware domain jebena.ananikolic.su - Malware.HPsus/Palevo-B";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|jebena|0A|ananikolic|
02|su|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.sophos.com/en-us/threat-center/threat-
analyses/suspicious-behavior-and-files/HPsus~Palevo-B/detailedanalysis.aspx; classtype:trojan-activity; sid:24034; rev:3;)

malicious redirection attempt"; flow:to_server,established;
content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri;
reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-callsto-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE
Android/Fakelash.A!tr.spy trojan command and control channel traffic";
flow:to_server,established; content:"/data.php?action="; nocase;
http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p=";
distance:0; nocase; http_uri; content:"&n="; distance:0; nocase;
reference:url,blog.fortiguard.com/android-malware-distributed-bymalicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE IP only webpage redirect attempt"; flow:to_client,established;
file_data; content:"<html><head><meta http-equiv=|22|refresh";
pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR";
metadata:ruleset community, service http; classtype:bad-unknown;
sid:24253; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE IP only webpage redirect attempt"; flow:to_client,established;
file_data; content:"document.location=";
pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR";
metadata:ruleset community, service http; classtype:bad-unknown;
sid:24254; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious
UA detected on non-standard port"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B|
Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1,
seconds 120; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community; reference:url,anubis.iseclab.org/?
action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM
1.usa.gov URL in email, possible spam redirect"; flow:to_server,
established; file_data; content:"http|3A 2F 2F|1.usa.gov";
pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi";
metadata:ruleset community, service smtp;
reference:url,www.symantec.com/connect/blogs/spam-gov-urls;
Potential Banking Trojan Config File Download";
flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt";
fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|
3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e
5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity;
sid:24885; rev:2;)

Win.Trojan.Dorkbot variant outbound connection";
flow:to_server,established; content:".php?ip="; http_uri; content:"&os=";
distance:0; http_uri; content:"&name="; distance:0; http_uri;
content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop,
reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f
51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity;
sid:24886; rev:3;)
Win.Trojan.Zeus variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|
MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|";
http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D
0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase;
byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P";
service http; classtype:trojan-activity; sid:25050; rev:6;)
ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95;
content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]
{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user agent - NewBrandTest";
flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D
0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop,
reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846
ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity;
sid:25119; rev:2;)
Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established;
urilen:52; content:"/s/?k="; fast_pattern:only; http_header;
pcre:"/^\x2f[a-z0-9]{51}$/Ui"; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[az0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi"; metadata:policy balanced-ips drop,
Win.Worm.Gamarue variant outbound connection";
flow:to_server,established; content:"POST"; http_method; urilen:12;
content:"/a/image.php"; fast_pattern:only; http_uri; content:"User-Agent|
3A 20|Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy
http; classtype:trojan-activity; sid:25256; rev:3;)
Win.Trojan.Skintrim variant outbound connection";
content:"/bin/check.php?cv="; http_uri; content:"ThIs_Is_tHe_bouNdaRY_$";
fast_pattern; http_header; metadata:policy balanced-ips drop, policy
reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f6
51244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojanactivity; sid:25257; rev:4;)

Win.Trojan.Rombrast variant outbound connection";
flow:to_server,established; content:"/file.aspx?file=";
fast_pattern:only; http_uri; content:"ksp/WS"; http_header;
metadata:policy balanced-ips drop, policy security-ips drop, ruleset
reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed1861357
8039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity;
sid:25258; rev:4;)
Win.Trojan.BancosBanload variant outbound connection";
flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|
Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|";
fast_pattern:only; http_header; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a
6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojanactivity; sid:25259; rev:4;)
Win.Trojan.Buterat variant outbound connection";
flow:to_server,established; content:"From|3A|"; http_header;
content:"Via|3A|"; http_header; urilen:13;
pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips
reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991
d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity;
sid:25269; rev:3;)
Win.Trojan.Buzus variant outbound connection";
flow:to_server,established; content:"/default.aspx?ver="; http_uri;
content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|";
http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy
Request for a non-legit postal receipt"; flow:to_server,established;
content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[az0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop,
reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string;
Pushdo Spiral Traffic"; flow:to_server,established; content:"POST";
http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri;
pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_
antimalware.conf; classtype:trojan-activity; sid:25471; rev:3;)
Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST";
http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only;
http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips

reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6
db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity;
sid:25503; rev:2;)
Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST";
http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only;
http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips
reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6
db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity;
sid:25504; rev:2;)
Win.Trojan.Symmi variant outbound connection";
flow:to_server,established; content:"lfstream|26|"; depth:9; offset:8;
pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d5915847
15c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity;
sid:25511; rev:3;)
Apple iPod User-Agent detected"; flow:established,to_server;
content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0;
fast_pattern; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*iPod/H";
sid:25518; rev:4;)
Apple iPad User-Agent detected"; flow:established,to_server;
content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0;
fast_pattern; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*iPad/H";
sid:25519; rev:4;)
Apple iPhone User-Agent detected"; flow:established,to_server;
content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0;
fast_pattern; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*iPhone/H";
sid:25520; rev:4;)
Android User-Agent detected"; flow:established,to_server; content:"UserAgent|3A|"; http_header; content:"android"; distance:0; fast_pattern;
nocase; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*android/iH";
sid:25521; rev:3;)
Nokia User-Agent detected"; flow:established,to_server; content:"UserAgent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern;
nocase; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*nokia/iH";
sid:25522; rev:3;)
Samsung User-Agent detected"; flow:established,to_server; content:"User-
Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern;

nocase; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*samsung/iH";
sid:25523; rev:3;)
Kindle User-Agent detected"; flow:established,to_server; content:"UserAgent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern;
nocase; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*kindle/iH";
sid:25524; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER
Nintendo User-Agent detected"; flow:established,to_server; content:"UserAgent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern;
nocase; http_header; pcre:"/Ûser-Agent\x3a[^\r\n]*nintendo/iH";
sid:25525; rev:2;)
Win.Rootkit.Necurs possible URI with encrypted POST";
content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/
[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy
reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562
ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity;
sid:25577; rev:2;)
Fake postal receipt HTTP Response phishing attack";
flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D
0A|"; fast_pattern:only; http_header; file_data;
content:"PostalReceipt.exe"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.urlquery.net/search.php?
q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50;
Fake bookinginfo HTTP Response phishing attack";
flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D
content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips
Fake bookingdetails HTTP Response phishing attack";
flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|
0D 0A|"; fast_pattern:only; http_header; file_data;
content:"BookingDetails.exe"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARECNC Win.Trojan.Reventon variant outbound communication";
flow:to_server,established; dsize:4; content:"|9A 02 00 00|";

reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da238168
5b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity;
sid:25627; rev:4;)
Win.Trojan.Kryptic variant outbound connection";
flow:to_server,established; content:"Accept-Language: en-us|3B 0D 0A|";
http_header; content:"wok5VLG.6"; fast_pattern:only; http_client_body;
reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00
f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity;
sid:25652; rev:3;)
Win.Trojan.Medfos variant outbound connection";
flow:to_server,established; content:"/js/disable.js?type=";
fast_pattern:only; http_uri; content:"Accept|3A 20|
application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry
.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660;
rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC
Win.Trojan.Fakeavlock variant outbound connection";
flow:to_server,established; dsize:267<>276; content:"User-Agent|3A|
Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D
0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]
{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fb
d651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity;
sid:25675; rev:7;)
Trojan Agent YEH variant outbound connection";
flow:to_server,established; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|
6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f\?
ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-ips
reference:url,www.sophos.com/en-us/threat-center/threat-analyses/virusesand-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojanactivity; sid:25765; rev:4;)
Win.Trojan.Bancos variant outbound connection";
flow:to_server,established; content:"/cmd.php?cmd="; http_uri;
content:"arq="; distance:0; http_uri; content:"cmd2="; distance:0;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry
.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;)
Win.Trojan.Urausy Botnet variant outbound communication";
flow:to_server,established; urilen:95<>102; content:"|29 20|Chrome|2F|";

http_header; content:!"|0A|Accept-Encoding|3A 20|"; http_header;
pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U"; metadata:impact_flag red,
service http; reference:url,www.botnets.fr/index.php/Urausy;
Trojan Banker FTC variant outbound connection";
flow:to_server,established; urilen:18; content:"/listas/out/si.php";
fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|"; depth:10;
offset:24; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Troj~BankerFTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2;)
Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No
Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri;
pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}
[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header;
content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B
20|"; http_header; content:"|2E|info|0D 0A|"; fast_pattern; nocase;
http_header; metadata:impact_flag red, policy security-ips drop, ruleset
reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse);
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known
malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|";
policy security-ips drop, ruleset community, service dns;
.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity;
sid:25946; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy
remote access tool"; flow:to_server,established; content:"POST";
http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|";
reference:url,www.ammyy.com; classtype:policy-violation; sid:25947;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
redirection to driveby download"; flow:to_client,established; file_data;
content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>";
fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips
drop, ruleset community, service http; classtype:trojan-activity;
sid:25948; rev:3;)
GzWaaa outbound data connection"; flow:to_server,established;
content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|
Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D
0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B|
filename="; fast_pattern:only; http_client_body; metadata:impact_flag
red, policy balanced-ips drop, policy security-ips drop, ruleset
reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e
99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojanactivity; sid:25949; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Sibhost exploit kit"; flow:to_server,established;
content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri;
reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost;
Win.Trojan.Zbot variant in.php outbound connection";
flow:to_server,established; urilen:7; content:"/in.php"; http_uri;
content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|";
fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|";
http_header; metadata:policy balanced-ips drop, policy security-ips drop,
reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231;
Win.Trojan.Wecod variant outbound connection";
flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar";
fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c
0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity;
sid:26024; rev:2;)
Bancos variant outbound connection SQL query POST data";
flow:to_server,established; content:"a=select CAMPO from PAGINA where
CODIGO = "; fast_pattern:only; http_client_body; metadata:policy
http;
reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726a
ac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity;
sid:26075; rev:2;)
content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header;
content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0;
http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|
132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips
sid:26106; rev:4;)
Win.Trojan.Gupd variant outbound connection"; flow:to_server,established;
content:"cstype="; depth:7; http_client_body; content:"&authname=";
within:48; distance:1; http_client_body; content:"&authpass="; within:48;
distance:1; http_client_body; content:"&hostname="; within:48;
distance:1; http_client_body; content:"&ostype="; within:256; distance:1;
http_client_body; content:"&macaddr="; within:64; distance:16;
http_client_body; content:"&owner="; within:48; distance:17;
http_client_body; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033
DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity;
sid:26203; rev:3;)
Win.Trojan.Eldorado variant outbound connection";
flow:to_server,established; urilen:12; content:"/pid/pid.txt";
fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D
0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f
5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojanactivity; sid:26211; rev:2;)
Win.Trojan.Proxyier variant outbound connection";
flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|
0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|";
fast_pattern:only; http_header; content:!"|0A|Referer"; http_header;
metadata:ruleset community, service http; classtype:trojan-activity;
sid:26212; rev:2;)
Fake postal receipt HTTP Response phishing attack";
flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|
0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy
Dapato banking Trojan variant outbound connection";
flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf";
fast_pattern:only; http_uri; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4a
d295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojanactivity; sid:26264; rev:5;)
malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|";
reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64
445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity;
sid:26265; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT
Absolute Software Computrace outbound connection - search.dnssearch.org";
flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D
0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header;
reference:url,absolute.com/support/consumer/technology_computrace;
reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286;
rev:4;)
Absolute Software Computrace outbound connection - search.namequery.com";
flow:to_server,established; content:"Host|3A| search.namequery.com|0D

0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header;
rev:4;)
Brontok Worm variant outbound connection"; flow:to_server,established;
content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only;
http_header; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.securelist.com/en/descriptions/10286064/EmailWorm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288;
rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws
Trojan Outbound Plaintext over SSL Port"; flow:to_server,established;
content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]
{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|
form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R";
pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips
drop, ruleset community, service ssl;
reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0
cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojanactivity; sid:26289; rev:1;)
file path used as User-Agent - potential Trojan";
flow:to_server,established; content:"User-Agent|3A 20|C:|5C|";
fast_pattern:only; http_header; pcre:"/\.exe$/iU";
pcre:"/Ûser\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him";
service http;
reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5e
c35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity;
sid:26319; rev:2;)
Win.Trojan.Scar variant outbound connection"; flow:to_server,established;
content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|AcceptLanguage|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]
{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f
6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity;
sid:26325; rev:1;)
OSX.Trojan.Flashfake variant outbound connection";
flow:to_server,established; content:"|3B 20|sv|3A|"; http_header;
content:"|3B 20|id|3A|"; within:5; distance:1; http_header;
pcre:"/Ûser\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F09]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy securityips drop, ruleset community, service http;
reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_D
OCUMENTATION/23000%2FPD23747/en_US/Threat_Advisory_OSX_Flashfake.pdf;

FBI Ransom Trojan variant outbound connection";
flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only;
http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag
Win.Trojan.Bancos variant outbound connection - ksa.txt";
flow:to_server,established; urilen:8; content:"/ksa.txt";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0
(compatible|3B| Indy Library)"; http_header; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8f
e26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojanactivity; sid:26370; rev:1;)
Win.Trojan.Bancos variant outbound connection - op POST";
flow:to_server,established; content:"op="; depth:3; http_client_body;
content:"&nmpc="; fast_pattern:only; http_client_body;
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER
UTF-8 BOM in zip file attachment detected"; flow:to_server,established;
file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy
security-ips drop, ruleset community, service smtp;
reference:url,blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8bom-in-zip-signature-to-evade-detection; classtype:trojan-activity;
sid:26380; rev:2;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER
UTF-8 BOM in zip file attachment detected"; flow:to_client,established;
file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy
security-ips drop, ruleset community, service ftp-data, service imap,
service pop3; reference:url,blogs.mcafee.com/mcafee-labs/phishing-threatuses-utf-8-bom-in-zip-signature-to-evade-detection; classtype:trojanactivity; sid:26381; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWAREOTHER UTF-8 BOM in zip file attachment detected";
flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|";
depth:7; metadata:policy security-ips drop, ruleset community, service
http; reference:url,blogs.mcafee.com/mcafee-labs/phishing-threat-usesutf-8-bom-in-zip-signature-to-evade-detection; classtype:trojan-activity;
sid:26382; rev:2;)
Ufasoft bitcoin miner possible data upload"; flow:to_server,established;
content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header;
reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation;
sid:26395; rev:4;)
malware domain suppp.cantvenlinea.biz - Bitcoin Miner upload";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|suppp|0C|

cantvenlinea|03|biz|00|"; fast_pattern:only; metadata:impact_flag red,
policy balanced-ips alert, policy security-ips drop, ruleset community,
service dns; classtype:trojan-activity; sid:26396; rev:2;)
Win.Trojan.Gamarue variant outbound connection";
content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: nocache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15;
http_client_body; metadata:impact_flag red, policy security-ips drop,
reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942
a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity;
sid:26398; rev:2;)
for known malware domain f.eastmoon.pl - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|08|eastmoon|02|pl|
00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
alert, policy security-ips drop, ruleset community, service dns;
for known malware domain s.richlab.pl - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|s|07|richlab|02|pl|
for known malware domain gigasbh.org - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|gigasbh.org|03|org";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips alert,
for known malware domain xixbh.com - Win.Trojan.Dorkbot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|com"; fast_pattern:only;
metadata:impact_flag red, policy balanced-ips alert, policy security-ips
drop, ruleset community, service dns; classtype:trojan-activity;
sid:26402; rev:1;)
for known malware domain h.opennews.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|h|08|opennews|02|su|
for known malware domain o.dailyradio.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|o|0A|dailyradio|02|
su|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain xixbh.net - Win.Trojan.Dorkbot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|xixbh|03|net"; fast_pattern:only;

sid:26405; rev:1;)
for known malware domain photobeat.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|photobeat|02|su|00|";
for known malware domain uranus.kei.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|uranus|03|kei|02|su|
for known malware domain gigasphere.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|gigashpere|02|su";
for known malware domain ext.myshopers.com - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"ext|08|myshopers|03|com";
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE IP address check to j.maxmind.com detected";
flow:to_server,established; content:"/app/geoip.js"; http_uri;
content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header;
metadata:ruleset community, service http; classtype:misc-activity;
sid:26410; rev:4;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot
folder snkb0ptz creation attempt SMB"; flow:to_server,established;
content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|";
fast_pattern:only; metadata:ruleset community, service netbios-ssn;
executable snkb0ptz.exe creation attempt SMB";
flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00
74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:ruleset
community, service netbios-ssn; classtype:trojan-activity; sid:26412;
rev:2;)
Desktop.ini snkb0ptz.exe creation attempt SMB";
flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00
74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00
6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0;
metadata:ruleset community, service netbios-ssn; classtype:trojanactivity; sid:26413; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Magic variant inbound connection"; flow:to_client,established;
file_data; content:"some_magic_code1"; depth:36; metadata:policy
reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERORACLE Oracle WebCenter FatWire Satellite Server header injection on
blobheadername2 attempt"; flow:to_server,established;
content:"blobheadername2=Location"; fast_pattern:only; http_uri;
content:"blobheadervalue2="; nocase; http_uri; metadata:ruleset
reference:url,www.oracle.com/technetwork/topics/security/cpuapr20131899555.html; classtype:web-application-attack; sid:26468; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERORACLE Oracle WebCenter FatWire Satellite Server header injection on
blobheadername2 attempt"; flow:to_server,established;
content:"blobheadername2=Refresh"; fast_pattern:only; http_uri;
content:"blobheadervalue2="; nocase; http_uri; metadata:ruleset
reference:url,www.oracle.com/technetwork/topics/security/cpuapr20131899555.html; classtype:web-application-attack; sid:26469; rev:3;)
Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware
download"; flow:to_client,established; content:"-2013.zip|0D 0A|";
fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-";
within:1; distance:-14; http_header; file_data; content:"-2013.exe";
content:"-"; within:1; distance:-14; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d07
08cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity;
sid:26470; rev:1;)
Win.Trojan.Zbot fake PNG config file download without User-Agent";
flow:to_server,established; content:"Accept:
application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|
q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header;
pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header;
sid:26480; rev:3;)
Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established;
content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/
[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips
drop, ruleset community, service http; reference:url,support.cleanmx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP JavaScript tag in User-Agent field possible XSS attempt";
flow:to_server,established; content:"User-Agent|3A| <SCRIPT>";
reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-fieldxss-attacks.html; classtype:web-application-attack; sid:26483; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"BLACKLIST User-Agent
known malicious user agent NOKIAN95/WEB"; flow:to_server,established;
content:"User-Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only;

community, service http; reference:url,blog.trendmicro.com/trendlabssecurity-intelligence/targeted-attack-campaign-hides-behind-sslcommunication/; classtype:trojan-activity; sid:26522; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOITKIT Portable Executable downloaded with bad DOS stub";
flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|
2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service ftp-data, service http,
service imap, service pop3; reference:cve,2013-2423;
reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-newand-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Unix.Backdoor.Cdorked redirect attempt";
flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header;
content:"/index.php?"; distance:-50; http_header; base64_decode:bytes
150, offset 10, relative; base64_data; content:"time="; content:"&src=";
distance:0; content:"&surl="; distance:0; metadata:impact_flag red,
reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanelbased-servers.html;
reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e
1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity;
sid:26528; rev:3;)
Unknown malware - Incorrect headers - Referer HTTP/1.0";
flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|";
fast_pattern:only; http_header; metadata:policy security-ips drop,
ruleset community, service http; classtype:trojan-activity; sid:26533;
rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE
Win.Adware.BProtector browser hijacker dll list download attempt";
flow:to_server,established; content:"GET"; http_method;
content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase;
http_uri; metadata:ruleset community, service http; classtype:miscactivity; sid:26553; rev:3;)
for known malware domain d1js21szq85hyn.cloudfront.net Win.Adware.BProtector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|
0E|d1js21szq85hyn|0A|cloudfront|03|net"; fast_pattern:only;
sid:26554; rev:1;)
for known malware domain xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|xxxxxxxxxxxxxxx|03|
kei|02|su"; fast_pattern:only; metadata:impact_flag red, policy balancedips alert, policy security-ips drop, ruleset community, service dns;
for known malware domain f.dailyradio.su - Win.Trojan.Dorkbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|01|f|0A|dailyradio|02|
su|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips

User-Agent known Malicious user agent Brutus AET";
flow:to_server,established; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|
Brutus|2F|AET"; fast_pattern:only; http_header; metadata:impact_flag red,
service http; reference:url,sectools.org/tool/brutus; classtype:miscactivity; sid:26558; rev:3;)
Win.Trojan.Bancos variant outbound connection - getcomando POST data";
flow:to_server,established; content:"tipo=getcomando&";
fast_pattern:only; http_client_body; metadata:impact_flag red, policy
reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b
16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojanactivity; sid:26560; rev:1;)
content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1=";
depth:4; http_client_body; metadata:impact_flag red, policy security-ips
sid:26561; rev:1;)
Nuclear exploit kit Spoofed Host Header .comrequests";
flow:to_server,established; content:".com-"; http_header;
pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+
(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html,
image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|";
Harakit botnet traffic"; flow:to_server,established; urilen:10;
content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header;
content:"/genst.htm"; http_uri; metadata:impact_flag red, policy
http;
reference:url,www.symantec.com/security_response/attacksignatures/detail.
jsp?asid=23239;
reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948b
d2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity;
sid:26563; rev:1;)
Potential hostile executable served from compromised or malicious
WordPress site"; flow:to_server,established; content:"/wp-content/";
http_uri; content:".exe|20|HTTP/1."; fast_pattern:only;
pcre:"/\/\d+\.exe$/U"; metadata:policy security-ips drop, ruleset
community, service http; reference:url,blog.avast.com/2013/05/03/regentsof-louisiana-spreading-s irefef-malware; classtype:trojan-activity;
sid:26576; rev:1;)
User-Agent known malicious user agent Opera 10";
flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only;

reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s
irefef-malware; reference:url,dev.opera.com/articles/view/opera-uastring-changes; classtype:trojan-activity; sid:26577; rev:2;)
Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent";
flow:to_server,established; content:"/images/m.php?id=";
fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|";
http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901c
f5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojanactivity; sid:26578; rev:1;)
Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent";
flow:to_server,established; content:"/ccbill/m.php?id=";
fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|";
http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901c
f5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojanactivity; sid:26579; rev:1;)
malware domain www.elitemarketingworld.net - Cosmu Trojan";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|
elitemarketingworld|03|net|00|"; fast_pattern:only; metadata:impact_flag
community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?
file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc;
malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|";
reference:url,camas.comodo.com/cgi-bin/submit?
malware domain www.allamericanservices.name - Cosmu Trojan";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|
allamericanservices|04|name|00|"; fast_pattern:only; metadata:impact_flag
community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?
malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|";
file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44;
reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3d
f424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojanactivity; sid:26583; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE config.inc.php in iframe"; flow:to_client,established;
file_data; content:"<iframe"; content:"config.inc.php"; within:100;
content:"</iframe>"; distance:0; metadata:ruleset community, service
http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-toblackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojanactivity; sid:26585; rev:2;)
malware domain theimageparlour.net - Vobfus worm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|";
fast_pattern:only; content:"|03|ns"; content:"|0F|"; within:2;
content:"theimageparlour|03|net|00|"; within:20; metadata:impact_flag
community, service dns;
reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce
5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity;
sid:26589; rev:1;)
malware domain ppcfeedadvertising.com"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|12|ppcfeedadvertising|03|com|00|"; fast_pattern:only;
Medfos Trojan variant outbound connection"; flow:to_server,established;
content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE
"; http_header; content:!"|0D 0A|Accept-Language:"; http_header;
content:!"|0D 0A|Referer:"; http_header;
pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi";
reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc
3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity;
sid:26613; rev:2;)
malware domain ppcfeedclick.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|0C|ppcfeedclick|03|com|00|"; fast_pattern:only;
malware domain www2.x3x4.su - backdoor trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|";
reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf33
76d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity;
sid:26654; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.PCRat data upload"; flow:to_server,established;
content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy

reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704
226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity;
sid:26655; rev:1;)
Win.Trojan.Travnet Botnet data upload"; flow:to_server,established;
content:"hostid="; http_uri; content:"|26|hostname="; http_uri;
content:"|26|hostip="; http_uri; metadata:policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5F
A234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity;
sid:26656; rev:1;)
Win.Trojan.Shiz variant outbound connection"; flow:to_server,established;
content:"GET"; http_method; content:"/login.php"; depth:10; http_uri;
content:"Referer|3A| http://www.google.com"; http_header; content:"UserAgent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|";
fast_pattern:only; http_header; pkt_data; content:"HTTP/1.0|0D 0A|";
file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6;
reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc
5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojanactivity; sid:26657; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSERWEBKIT Possible Google Chrome Plugin install from non-trusted source";
flow:to_server,established; content:!"googleusercontent"; http_header;
content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri;
reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browserextension-hijacks-facebook-profiles.aspx; classtype:bad-unknown;
sid:26658; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSERFIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source";
flow:to_server,established; content:!"mozilla"; http_header;
content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:ruleset
community, service http; reference:url,research.zscaler.com/2012/09/howto-install-silently-malicious.html; classtype:bad-unknown; sid:26659;
rev:3;)
Fake delivery information phishing attack"; flow:to_client,established;
content:"|3B| filename="; http_header;
content:"Delivery_Information_ID-"; fast_pattern:only; http_header;
file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50;
sid:26660; rev:1;)
Win.Trojan.Namihno variant outbound request"; flow:to_server,established;
content:"/windows/update/search?hl="; http_uri; content:"&q=";
distance:0; http_uri; content:"&meta="; distance:0; http_uri;
content:"&id="; distance:0; http_uri; metadata:policy balanced-ips alert,

Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers";
flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|
Content-Type: multipart/form-data|3B| boundary="; depth:70; content:"|0D
0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length:
"; http_header; content:"|3B| name=|22|data|22 3B| filename=|22|";
balanced-ips alert, policy security-ips drop, ruleset community, service
http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-nowtarget-australia-and-moved.html; classtype:trojan-activity; sid:26696;
rev:3;)
Cbeplay Ransomware variant outbound connection - POST Body";
flow:to_server,established; content:"index.php"; http_uri; content:"|3B|
name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body;
content:"--"; depth:2; http_client_body;
pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy
http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-nowtarget-australia-and-moved.html; classtype:trojan-activity; sid:26697;
rev:3;)
Compromised Website response - leads to Exploit Kit";
flow:to_client,established; file_data; content:"";
content:""; distance:0; metadata:policy balanced-ips drop,
reference:url,www.jsunpack.jeek.org/?
report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojanactivity; sid:26698; rev:1;)
Kazy Trojan check-in"; flow:to_server,established; content:"User-Agent:
Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; fast_pattern:only;
http_header; content:"/count.php?page="; depth:16; http_uri;
file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157;
Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established;
content:"gate.php|3F|reg="; http_uri; content:"User-Agent|3A| Mozilla/4.0
(compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header;
pcre:"/gate\x2ephp\x3freg=[a-z]{10}/U"; metadata:policy balanced-ips
reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-bewritten-in-delphi; classtype:trojan-activity; sid:26713; rev:1;)
content:"gate.php|3F|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]
{15}/U"; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|";

content:"gate.php|3F|id="; http_uri; content:"User-Agent|3A| Mozilla/4.0
(compatible|3B| SEObot)|0D 0A|"; fast_pattern:only; http_header;
pcre:"/gate\x2ephp\x3fid=[a-z]{15}/U"; metadata:policy balanced-ips drop,
malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|03|07o|05|no-ip|04|info|00|"; fast_pattern:only;
drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068f
ac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojanactivity; sid:26718; rev:1;)
Win.Trojan.Kbot variant outbound connection"; flow:to_server,established;
content:"s_alive.php?id="; fast_pattern:only; http_uri; metadata:policy
http; reference:url,blog.avast.com/2013/05/22/grum-lives/;
Win.Trojan.Kbot variant outbound connection"; flow:to_server,established;
content:"s_task.php?id="; fast_pattern:only; http_uri; metadata:policy
http; reference:url,blog.avast.com/2013/05/22/grum-lives/;
Bancos fake JPG encrypted config file download";
flow:to_server,established; content:".com.br|0D 0A 0D 0A|";
fast_pattern:only; content:"/imagens/"; depth:9; http_uri;
content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.
[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]
+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips
Trojan Downloader7"; flow:to_server,established;
content:".lavaibrasilok.com|0D 0A 0D 0A|"; fast_pattern:only; content:"|
3B| MSIE "; http_header; content:!"Accept-Language:"; http_header;
reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.
html; classtype:trojan-activity; sid:26723; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.BlackRev cnc http command"; flow:to_client,established;
file_data; content:"http|7C|"; depth:5; pcre:"/^http\x7c\d+\x7c\d/";

Win.Trojan.BlackRev cnc stop command"; flow:to_client,established;
file_data; content:"stop|7C|"; depth:5; pcre:"/^stop\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc die command"; flow:to_client,established;
file_data; content:"die|7C|"; depth:4; pcre:"/^die\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established;
file_data; content:"sleep|7C|"; depth:6; pcre:"/^sleep\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc simple command"; flow:to_client,established;
file_data; content:"simple|7C|"; depth:7; pcre:"/^simple\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established;
file_data; content:"loginpost|7C|"; depth:10;
pcre:"/^loginpost\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-willbe-written-in-delphi; classtype:trojan-activity; sid:26730; rev:3;)
Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established;
file_data; content:"datapost|7C|"; depth:9;
pcre:"/^datapost\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc syn command"; flow:to_client,established;
file_data; content:"syn|7C|"; depth:4; pcre:"/^syn\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc udp command"; flow:to_client,established;
file_data; content:"udp|7C|"; depth:4; pcre:"/ûdp\x7c\d+\x7c\d/";

Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established;
file_data; content:"udpdata|7C|"; depth:8;
pcre:"/ûdpdata\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc data command"; flow:to_client,established;
file_data; content:"data|7C|"; depth:5; pcre:"/^data\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established;
file_data; content:"icmp|7C|"; depth:5; pcre:"/îcmp\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established;
file_data; content:"tcpdata|7C|"; depth:8;
pcre:"/^tcpdata\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established;
file_data; content:"dataget|7C|"; depth:8;
pcre:"/^dataget\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc connect command"; flow:to_client,established;
file_data; content:"connect|7C|"; depth:8;
pcre:"/^connect\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc dns command"; flow:to_client,established;
file_data; content:"dns|7C|"; depth:4; pcre:"/^dns\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc exec command"; flow:to_client,established;
file_data; content:"exec|7C|"; depth:5; isdataat:!200;
pcre:"/êxec\x7c\d+\x7c\d/"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established;
file_data; content:"resolve|7C|"; depth:8;
pcre:"/^resolve\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established;
file_data; content:"antiddos|7C|"; depth:9;
pcre:"/ântiddos\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc range command"; flow:to_client,established;
file_data; content:"range|7C|"; depth:6; pcre:"/^range\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established;
file_data; content:"ftp|7C|"; depth:4; pcre:"/^ftp\x7c\d+\x7c\d/";
Win.Trojan.BlackRev cnc download command"; flow:to_client,established;
file_data; content:"download|7C|"; depth:9;
pcre:"/^download\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established;
file_data; content:"fastddos|7C|"; depth:9;
pcre:"/^fastddos\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established;
file_data; content:"slowhttp|7C|"; depth:9;
pcre:"/^slowhttp\x7c\d+\x7c\d/"; metadata:impact_flag red, policy

Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established;
file_data; content:"allhttp|7C|"; depth:8;
pcre:"/âllhttp\x7c\d+\x7c\d/"; metadata:impact_flag red, policy
Win.Trojan.BlackRev cnc full command"; flow:to_client,established;
file_data; content:"full|7C|"; depth:5; pcre:"/^full\x7c\d+\x7c\d/";
Win.Worm.Luder variant outbound connection"; flow:to_server,established;
content:"/loader.cpl"; fast_pattern:only; http_uri;
pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header;
content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7
776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity;
sid:26774; rev:2;)
Win.Trojan.Blocker variant outbound connection HTTP Header Structure";
flow:to_server,established; urilen:11; content:"GET"; http_method;
content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: nocache|0D 0A 0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.
[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]
+\.info\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108c
cb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity;
sid:26775; rev:2;)
Win.Trojan.Blocker variant outbound connection POST";
content:"cmd=gravar&dados="; fast_pattern:only; http_client_body;
reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108c
cb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity;
sid:26776; rev:2;)
Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established;
content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase;
http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cd
e6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojanactivity; sid:26779; rev:3;)

cridex HTTP Response - default0.js"; flow:to_client,established;
file_data; content:"|00|<script type=|22|text/javascript|22| src=|
22|/scripts/default0.js|22|></script>|00|"; fast_pattern:only;
malware domain vseforyou.ru - Cridex Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|";
malware domain commorgan.ru - Cridex Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|";
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP
Fake Antivirus Payment Page Request"; flow:to_server,established;
urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only;
http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]
+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H";
community, service http; reference:url,camas.comodo.com/cgi-bin/submit?
file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8;
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP
Fake Antivirus Check-in"; flow:to_server,established; urilen:11;
content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|";
fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy
http; reference:url,camas.comodo.com/cgi-bin/submit?
file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign";
flow:to_server,established; urilen:17,norm; content:"/linkendorse.html";
Sweet Orange exploit kit landing page in.php base64 uri";
flow:to_server,established; urilen:<75; content:"/in.php"; http_uri;
content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri;
drop, ruleset community, service http; reference:cve,2010-0188;
reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-
0607; reference:cve,2012-1723; reference:cve,2012-4681;

reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojanactivity; sid:26834; rev:4;)
RDN Banker POST variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"op=IncluirAvisos&";
fast_pattern:only; http_client_body; content:"HostBD="; depth:7;
offset:17; http_client_body; metadata:impact_flag red, policy securityips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9f
d9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojanactivity; sid:26835; rev:2;)
RDN Banker Strange Google Traffic"; flow:to_server,established;
urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B|
WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header;
content:"Host: www.google.com"; http_header; metadata:impact_flag red,
reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9f
d9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojanactivity; sid:26836; rev:1;)
BitBot Idle C2 response"; flow:to_client,established; file_data;
content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy
http; reference:url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-abitcoin-botnet; classtype:trojan-activity; sid:26837; rev:1;)
Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign";
flow:to_server,established; content:"/natpay.html?"; fast_pattern:only;
http_uri; metadata:ruleset community, service http; classtype:trojanactivity; sid:26838; rev:2;)
Win.Trojan.Zeus P2P-proxy C2 Write command"; flow:to_server,established;
content:"POST |2F|write HTTP|2F|1.1"; depth:25; metadata:policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf; classtype:trojanactivity; sid:26839; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWAREBACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established;
content:"macName="; depth:60; http_client_body; content:"&macOS=";
within:100; http_client_body; content:"&macMac="; within:200;
http_client_body; metadata:policy balanced-ips drop, policy security-ips
sid:26842; rev:1;)
ZeroAccess Encrypted 128-byte POST No Accept Headers";
content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header;
content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1;
content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P";
sid:26910; rev:3;)

Win.Trojan.Rombrast Trojan outbound communication";
content:"/info.php?act="; fast_pattern:only; http_uri;
pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff
3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity;
sid:26911; rev:1;)
Win.Trojan.Rombrast Trojan outbound communication";
flow:to_server,established; content:"POST"; http_method; content:"<|7C|
>"; fast_pattern:only; http_client_body; content:"data="; depth:5;
http_client_body; content:"<|7C|>"; within:3; distance:31;
http_client_body; content:"<|7C|>"; distance:0; http_client_body;
sid:26912; rev:1;)
malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|
03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
sid:26913; rev:1;)
malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|";
reference:url,mwanalysis.org/?
page=report&analysisid=2156196&password=gtrcgbtwhh;
reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48
061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity;
sid:26914; rev:1;)
malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|05|zalil|02|ru|00|"; fast_pattern:only;
drop, ruleset community, service dns; reference:url,mwanalysis.org/?
page=report&analysisid=2156195&password=ykndnbluja;
reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8
d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity;
sid:26915; rev:1;)
for known malware domain soywey.sin-ip.es - Palevo Botnet";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|soywey|06|sin-ip|02|
es|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c9283462
2b6a171dde9fa8dded755d9fd54c4dae/analysis/; classtype:trojan-activity;
sid:26916; rev:1;)
for known malware domain bigmack.opendns.be - Palevo Botnet";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bigmack|07|opendns|
02|be|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3;
for known malware domain trafficconverter.biz - ChronoPay";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|trafficconverter|03|
biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
reference:url,krebsonsecurity.com/2011/03/chronopays-scarewarediaries/#more-8331; classtype:trojan-activity; sid:26918; rev:1;)
for known malware domain kjwre9fqwieluoi.info - W32.Sality";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kjwre9fqwieluoi|04|
info|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity;
sid:26919; rev:1;)
for known malware domain kukutrustnet777.info - W32.Sality";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|kukutrustnet777|04|
md5=7abf56a5fbced892d2bdbe1fcbff233a; classtype:trojan-activity;
sid:26920; rev:1;)
content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri;
pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui";
Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established;
urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?";
http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[az]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red,
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic
convert injection attempt - GET parameter"; flow:to_server,established;
content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy
reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html;
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=atom.jar";
security-ips drop, ruleset community, service http; reference:cve,20132423; reference:url,www.basemont.com/new_exploit_kit_june_2013;
DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download";
flow:to_client,established; content:"filename=site.jar";
security-ips drop, ruleset community, service http; reference:cve,20131493; reference:url,www.basemont.com/new_exploit_kit_june_2013;
DotkaChef/Rmayana/DotCache exploit kit landing page";
flow:to_client,established; file_data; content:"<applet width=";
content:"0"; within:1; distance:1; content:" height="; within:8;
distance:1; content:"0"; within:1; distance:1; content:" code=";
within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase;
content:" archive="; within:9; distance:1; metadata:policy balanced-ips
reference:url,www.basemont.com/new_exploit_kit_june_2013;
DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt";
flow:to_server,established; content:"/?f=s"; http_uri; content:"&k=";
distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U";
flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop,
reference:url,www.malwaresigs.com/2013/06/14/dotcachef/;
DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI
request"; flow:to_server,established; content:"/.cache/?f=";
fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[af0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop,
reference:url,research.zscaler.com/2013/06/openxadvertisingcom-massmalvertising.html; classtype:trojan-activity; sid:26951; rev:4;)
Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established;
content:"/forum/search.php?email="; http_uri; content:"&method=";
distance:0; http_uri; content:!"Referer"; http_header;
content:!"Accept-"; http_header; metadata:policy balanced-ips drop,
reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-nowsecured; classtype:trojan-activity; sid:26965; rev:2;)
Win32/Autorun.JN variant outbound connection";
flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm";
fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri;
reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry
.aspx?Name=Worm%3AWin32%2FAutorun.JN;
reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb96
13e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity;
sid:26966; rev:3;)
Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established;
content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D
0A|URL: "; fast_pattern:only; http_client_body; content:"ContentDisposition: form-data|3B| name="; http_client_body; metadata:impact_flag
reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0
408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity;
sid:26968; rev:2;)
Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established;
content:"POST"; http_method; content:".php?version="; http_uri;
content:"&user="; distance:0; http_uri; content:"&server="; distance:0;
http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag
sid:26969; rev:1;)
Win.Trojan.Pirminay variant outbound connection";
flow:to_server,established; content:"Cookie: cache=cc2=";
fast_pattern:only; content:"cache=cc2="; http_cookie;
pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H";
service http;
reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d50467
9129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity;
sid:26970; rev:1;)
malware domain fasternation.net - Win.Trojan.Pirminay"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0C|fasternation|03|net|00|";
fast_pattern:only; metadata:impact_flag red, policy security-ips drop,
reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d50467
9129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity;
sid:26971; rev:1;)
Win.Trojan.Injector Info Stealer Trojan variant outbound connection";
flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri;
content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE ";
http_header; content:!"Accept-Language:"; http_header;
reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE
19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity;
sid:26984; rev:3;)
Rawin exploit kit outbound java retrieval"; flow:to_server,established;
content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri;
pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop,

Win.Trojan.Dapato variant inbound response connection";
flow:to_client,established; content:"Content-Length: 150|0D 0A|";
fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2;
offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|";
within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]
{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy
reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f5
9d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity;
sid:27017; rev:1;)
Win.Trojan.OnlineGameHack variant outbound connection";
flow:to_server,established; content:"/get.asp?mac="; http_uri;
content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop,
reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Rep
ort_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;)
Styx exploit kit plugin detection connection jorg";
flow:to_server,established; content:"/jorg.html"; fast_pattern:only;
http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop,
reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,20130422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040;
rev:3;)
Styx exploit kit plugin detection connection jlnp";
flow:to_server,established; content:"/jlnp.html"; fast_pattern:only;
http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop,
rev:3;)
Styx exploit kit plugin detection connection jovf";
flow:to_server,established; content:"/jovf.html"; fast_pattern:only;
http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop,
rev:4;)
malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memostat|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy

dns;
reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRk
NDI/;
reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b68
0fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity;
sid:27043; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
User-Agent known malicious user-agent string pb - Htbot";
flow:to_server,established; content:"User-Agent: pb|0D 0A|";
reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRk
NDI/;
reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b68
0fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity;
sid:27044; rev:1;)
Win.Trojan.Blocker Download"; flow:to_client,established;
flowbits:isset,file.exe; content:"filename="; http_header;
content:"security_cleaner.exe"; fast_pattern:only; http_header;
service http;
reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d
061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojanactivity; sid:27045; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET
/?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service
http; classtype:bad-unknown; sid:27047; rev:2;)
Unknown Malvertising exploit kit Hostile Jar pipe.class";
flow:to_client,established; flowbits:isset,file.jar; file_data;
content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|
inc.class"; distance:0; content:"|00|fdp.class"; distance:0;
fast_pattern; metadata:policy balanced-ips drop, policy security-ips
sid:27085; rev:2;)
Unknown Malvertising exploit kit stage-1 redirect";
flow:to_client,established; content:"<html><body><script>|0A|var ";
fast_pattern; content:"document.createElement("; within:80;
content:".setAttribute(|22|archive|22|, "; within:65;
content:".setAttribute(|22|codebase|22|, "; within:65;
content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|
22|code|22|, "; within:65; content:"|22|)|3B 0A|
document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|
</html>|0A 0A|"; metadata:policy balanced-ips drop, policy security-ips
sid:27086; rev:2;)
DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt";
flow:to_server,established; content:"/?f=a"; http_uri; content:"&k=";
distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U";

reference:url,www.malwaresigs.com/2013/06/14/dotcachef/;
Private exploit kit outbound traffic"; flow:to_server,established;
content:".php?"; http_uri; content:"content-type: application/";
http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[afA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy
security-ips drop, ruleset community, service http; reference:cve,20060003; reference:cve,2010-0188; reference:cve,2011-3544;
reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,20132423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-heyhey-i-wanna-be.html;
reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html;
reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek;
malware domain scari-elegante.ro - Yakes Trojan"; flow:to_server;
content:"|0E|scari-elegante|02|ro|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6
b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity;
sid:27146; rev:1;)
malware domain myharlemshake.info - MSIL Trojan"; flow:to_server;
content:"|0D|myharlemshake|04|info|00|"; fast_pattern:only;
reference:url,mwanalysis.org/?
page=report&analysisid=2178740&password=nxbjmzykzt;
reference:url,www.virustotal.com/en/file/16534fea6ec534249b0a14a497f82f5c
7b4b8f2b005e965c24816365ce062318/analysis/; classtype:trojan-activity;
sid:27155; rev:1;)
malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|08|twinkcam|03|net|00|"; fast_pattern:only;
community, service dns; reference:url,threatpost.com/nsa-whistleblowerarticle-redirects-to-malware;
reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bb
a38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojanactivity; sid:27180; rev:1;)
malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; fast_pattern:only;
community, service dns; reference:url,threatpost.com/nsa-whistleblowerarticle-redirects-to-malware;

Win.Trojan.Meredrop variant outbound connection GET Request";
flow:to_server,established; content:"/?"; depth:2; http_uri;
content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[AZ\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy
reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613
b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojanactivity; sid:27199; rev:1;)
Win.Trojan.Meredrop variant outbound connection POST Request";
flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B
20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header;
pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]
{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy
reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613
b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojanactivity; sid:27200; rev:1;)
Win.Trojan.Neurevt variant outbound communication";
flow:to_server,established; content:"ps0="; depth:4; http_client_body;
content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0;
http_client_body; content:"cs2="; distance:0; http_client_body;
content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F09]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P";
sid:27201; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE Apache auto_prepend_file a.control.bin C2 traffic";
flow:to_server,established; content:"User-Agent|3A| SEX|2F|1";
reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascriptfiles.html; classtype:trojan-activity; sid:27203; rev:3;)
Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File";
flow:to_client,established; file_data; content:"return |22|DIRECT|22|";
fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]
{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\
+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red,
rev:1;)
Mac OSX FBI ransomware"; flow:to_client,established; file_data;
content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|
20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomwarenow-targeting-apples-mac-os-x-users/; classtype:trojan-activity;
sid:27246; rev:1;)
malware domain restless.su - Gamarue Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|";

reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754c
a02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity;
sid:27247; rev:2;)
Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established;
content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754c
a02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity;
sid:27248; rev:3;)
Win.Trojan.ZeroAccess 111-byte URL variant outbound connection";
flow:to_server,established; urilen:111; content:"=="; depth:2;
offset:103; content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10;
pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:";
Win.Trojan.Cridex Encrypted POST w/ URL Pattern";
flow:to_server,established; urilen:<34; content:"POST"; http_method;
content:"U|3B| MSIE "; http_header; content:"|0D 0A|Connection|3A| KeepAlive|0D 0A|Cache-Control|3A| no-cache"; fast_pattern:only; http_header;
content:!"Accept-Language:"; http_header; pcre:"/\x2f[A-Za-z09\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z09\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z09\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P";
reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbb
a20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity;
sid:27253; rev:2;)
Yakes Trojan HTTP Header Structure"; flow:to_server,established;
content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Cache-Control:
"; fast_pattern:only; content:".php HTTP/1.1"; nocase; content:"|0D 0A|
Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D
0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; within:113;
pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]
+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z09\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/
[\x2f\x2b\x3d]/P"; metadata:impact_flag red, ruleset community, service
http;
sid:27254; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE All Numbers .EXE file name from abnormally ordered HTTP
headers - Potential Yakes Trojan Download"; flow:to_server,established;
content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control:
"; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|
Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D
0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A
20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red,

sid:27255; rev:1;)
Win.Trojan.Kryptik Drive-by Download Malware";
flow:to_server,established; content:"GET"; http_method; content:".php?
id="; offset:6; fast_pattern; content:" HTTP/1."; within:11; distance:1;
content:"|0D 0A|User-Agent: Mozilla/"; within:22; distance:1;
pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|
Pragma)\x3a\x20no-cache\r\n\r\n$/"; metadata:policy security-ips drop,
ruleset community, service http; reference:url,threatpost.com/nsawhistleblower-article-redirects-to-malware;
Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no AcceptLanguage"; flow:to_server,established; urilen:7; content:"GET";
http_method; content:"Firefox/3."; fast_pattern:only; http_header;
pcre:"/^\/[A-Z]{6}$/U"; content:!"Accept-Language:"; http_header;
content:!"Referer:"; http_header; metadata:policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c0
8c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojanactivity; sid:27257; rev:4;)
Potential Win.Trojan.Kraziomel Download - 000.jpg";
flow:to_server,established; urilen:8; content:"/000.jpg";
fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: "; content:!"|
3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e02682
1b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity;
sid:27533; rev:3;)
malware domain claimcrazy.us - Win.Kraziomel Trojan"; flow:to_server;
content:"|0A|claimcrazy|02|us|00|"; fast_pattern:only;
sid:27534; rev:2;)
malware domain mainenbha.com - Win.Kraziomel Trojan"; flow:to_server;
content:"|09|mainenbha|03|com|00|"; fast_pattern:only;
sid:27535; rev:2;)
malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|";
reference:url,secure2.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx;
reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301
541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojanactivity; sid:27537; rev:1;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER selfsigned SSL certificate with default MyCompany Ltd organization name";
flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|";
content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag
red, ruleset community, service ssl;
reference:url,en.wikipedia.org/wiki/Self-signed_certificate;
reference:url,security.ncsa.illinois.edu/research/gridhowtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:2;)
HideMeBetter spam injection variant"; flow:to_client,established;
file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only;
content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|
null)"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injectionvariant.html; classtype:trojan-activity; sid:27565; rev:1;)
Win.Trojan.Rovnix malicious download request";
flow:to_server,established; content:"/ld.aspx"; nocase; http_uri;
content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; fast_pattern:only;
reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap;
reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolutionof-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity;
sid:27567; rev:1;)
Win.Trojan.Redyms variant outbound connection";
flow:to_server,established; content:"&intip="; fast_pattern:only;
http_uri; content:"?id="; http_uri; content:"&port="; distance:0;
http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag
reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d009
3f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojanactivity; sid:27596; rev:4;)
Fort Disco Registration variant outbound connection";
flow:to_server,established; content:"/cmd.php"; http_uri; content:"UserAgent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only;
http_header; metadata:policy balanced-ips drop, policy security-ips drop,
ruleset community, service http; reference:url,www.netsecurity.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599;
rev:2;)
malware domain documents.myPicture.info"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|09|documents|09|myPicture|04|info|00|";
reference:url,fireeye.com/blog/technical/2013/08/survival-of-the-fittestnew-york-times-attackers-evolve-quickly.html; classtype:trojan-activity;
sid:27625; rev:2;)
malware domain ftp.documents.myPicture.info"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|ftp|09|documents|09|myPicture|04|
sid:27626; rev:2;)
malware domain info.xxuz.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|04|info|04|xxuz|03|com|00|"; fast_pattern:only;
sid:27627; rev:2;)
malware domain www.documents.myPicture.info"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|www|09|documents|09|myPicture|04|
sid:27628; rev:2;)
Win.Backdoor.Aumlib variant outbound connection";
flow:to_server,established; content:"/tomcat-docs/index.jsp?/"; http_uri;
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.01|3B|
Windows NT 5.0|29|"; fast_pattern:only; http_header; metadata:impact_flag
sid:27629; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC
flow:to_server,established; content:"/bbs/search.asp"; content:"UserAgent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|
sid:27630; rev:3;)
flow:to_server,established; content:"/buy-sell/search.asp?newsid=";
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B|
Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy

http; reference:url,fireeye.com/blog/technical/2013/08/survival-of-thefittest-new-york-times-attackers-evolve-quickly.html; classtype:trojanactivity; sid:27631; rev:3;)
malware domain hidatabase.cn - Worm.Silly"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|0A|hidatabase|02|cn|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111
f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity;
sid:27632; rev:2;)
Worm.Silly variant outbound connection"; flow:to_server,established;
urilen:7; content:"/ul.htm"; fast_pattern:only; http_uri; content:"|3B|
MSIE 6.0|3B 20|"; http_header; content:!"Accept-Language: "; http_header;
reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111
f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity;
sid:27633; rev:3;)
Win.Trojan.SpyBanker.ZSL variant outbound connection";
content:"valor="; depth:6; http_client_body; content:"]branco[";
http;
reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21c
b29cdfb5a42634a793e27c9533d335b1/analysis/1375811416/; classtype:trojanactivity; sid:27648; rev:3;)
Brazilian Banking Trojan data theft"; flow:to_server,established;
content:"POST"; http_method; content:"remetente="; depth:10;
http_client_body; content:"&destinatario="; distance:0; http_client_body;
content:"&assunto="; distance:0; http_client_body; content:"&mensagem=";
distance:0; http_client_body; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
Win.Trojan.ZeroAccess variant outbound connection";
flow:to_server,established; urilen:>95; content:".php HTTP/1.1|0D 0A|
User-Agent: Opera/"; fast_pattern:only; pcre:"/(?=^[a-z\x2d\x5f\x2f]
{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]
{2,48}\x2d?\.php$/U"; metadata:impact_flag red, policy balanced-ips drop,
malware domain www.wolfvr.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|06|wolfvr|03|com|00|"; fast_pattern:only; metadata:impact_flag
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe6
38d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojanactivity; sid:27707; rev:1;)

Win.Ransomware.Urausy outbound connection"; flow:to_server,established;
urilen:>145,norm; content:".html"; http_uri; content:"User-Agent|3A|
Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B|
Trident/5.0"; fast_pattern:only; http_header; content:!"Cookie:";
http_header; content:!"X-BlueCoat-Via:"; http_header; content:!"Referer";
http_header; pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/U"; metadata:impact_flag
red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe6
38d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojanactivity; sid:27708; rev:7;)
Orbit Downloader denial of service update"; flow:to_server,established;
content:"/update/ido.ipl"; fast_pattern:only; http_uri;
reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-darkside-of-a-popular-file-downloading-tool; classtype:trojan-activity;
sid:27726; rev:2;)
content:"/update/myinfo.php"; fast_pattern:only; http_uri;
sid:27727; rev:2;)
content:"/update/param.php?"; fast_pattern:only; http_uri;
sid:27728; rev:2;)
RDN Banker Data Exfiltration"; flow:to_server,established;
content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B|
filename=|22|C:|5C|"; fast_pattern:only; http_client_body;
content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red,
Win.Trojan.Fareit variant outbound connection";
flow:to_server,established; content:"GET"; http_method; content:".htm";
http_uri; content:!"Accept"; http_header; content:"|0A|Content-Length:
164|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:"host|
3A|"; nocase; http_header; content:"|2E|"; within:5; http_header;
content:"|2E|"; within:4; http_header; content:"|2E|"; within:4;
http_header; content:"|6C 55 55 45|"; depth:4; offset:4;

for known malware domain sectempus.biz - Win.Trojan.PRISM";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sectempus|03|biz|
reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee
9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojanactivity; sid:27801; rev:1;)
Win.Trojan.PRISM variant outbound connection";
flow:to_server,established; content:"/page/index_htm_files2/"; nocase;
http_uri; content:".png"; within:4; distance:3; http_uri;
flow:to_server,established; content:"/form.php"; depth:9; http_uri;
content:"RcpTfdsvoD9KB9O"; fast_pattern:only; http_client_body;
flow:to_server,established; content:"/page/index.php"; nocase; http_uri;
content:"foo="; http_cookie; content:"data=RcpTfdssoD9KB9O"; depth:20;
fast_pattern; http_client_body; metadata:impact_flag red, policy
http;
Win.Trojan.Bisonha variant outbound connection";
flow:to_server,established; content:"GET /3001"; fast_pattern;
isdataat:260,relative; content:"0000000000000000000000000";
pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red, policy
ssl; reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-onG20Summit-Espionage-Operation;
reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf917
1e5deca119338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity;
sid:27805; rev:1;)
Blackholev2/Darkleech exploit kit landing page request";
flow:to_server,established; urilen:>32; content:".php";
fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f09]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper";
http_header; content:!"siteadvisor.com"; http_header;

reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:6;)
Blackholev2/Darkleech exploit kit landing page";
flow:to_client,established; file_data;
content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|
height|3A|1px}</style><div>"; fast_pattern:only;
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOLVOIP Possible SIP OPTIONS service information gathering attempt";
flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only;
community, service sip;
reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-withsnort.html; classtype:attempted-recon; sid:27899; rev:1;)
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOLVOIP Excessive number of SIP 4xx responses potential user or password
guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip;
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOLVOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180;
content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src,
count 100, seconds 25; metadata:ruleset community, service sip;
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOLVOIP Possible SIP OPTIONS service information gathering attempt";
flow:to_server,established; sip_method:options; content:"SIP/2.0";
fast_pattern:only; detection_filter:track by_src, count 100, seconds 25;
metadata:ruleset community, service sip;
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOLVOIP Ghost call attack attempt"; flow:to_client,established;
sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only;
community, service sip;
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOLVOIP Excessive number of SIP 4xx responses potential user or password
guessing attempt"; flow:to_client,established; sip_stat_code:4;
content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src,
count 100, seconds 25; metadata:ruleset community, service sip;

Blackholev2/Cool exploit kit payload download attempt";
flow:to_server,established; urilen:50<>150; content:"GET"; http_method;
content:" Java/1."; fast_pattern:only; http_header; content:".php?";
http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]
{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\!\*\w-]+=[\!\*\w-]
+&[\*\!\w-]+=[\!\*\w-]+$/U"; metadata:ruleset community, service
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
Vittalia adware - get ads"; flow:to_server,established;
content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html";
reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674
dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojanactivity; sid:27913; rev:2;)
Vittalia adware - post install"; flow:to_server,established;
content:"/report.php?key="; http_uri; content:"User-Agent|3A|
NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header;
Vittalia adware outbound connection - pre install";
flow:to_server,established; content:"/instapi.php?idMk="; http_uri;
content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0;
http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal=";
distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers
(Mozilla)"; fast_pattern:only; http_header; metadata:ruleset community,
service http;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS
Vittalia adware outbound connection - Eazel toolbar install";
flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri;
content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS
Vittalia adware outbound connection - offers";
flow:to_server,established; content:"/listener.php"; http_uri;
content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only;
content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"AcceptEncoding: identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE ";

reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63
bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity;
sid:27918; rev:2;)
Win.Trojan.Zeus encrypted POST Data exfiltration";
flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|
q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE ";
http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63
bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity;
sid:27919; rev:3;)
Win.Trojan.Gh0st variant outbound connection";
flow:to_server,established; content:"Gh0st"; depth:5; content:"|00 00
00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4;
distance:2; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community;
reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f
8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojanactivity; sid:27964; rev:5;)
Win.Trojan.Eupuds variant connection"; flow:to_client,established;
file_data; content:"insert into avs (id, pc,data,ref,country , id_user,
mostrar)values("; fast_pattern:only; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3
e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity;
sid:27965; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARECNC Win.Backdoor.Chopper web shell connection";
flow:to_server,established; content:"X-Forwarded-For"; nocase;
http_header; content:"=Response"; nocase; http_client_body;
content:"FromBase64String"; nocase; http_client_body;
reference:url,informationonsecurity.blogspot.com/2012/11/china-chopperwebshell.html; reference:url,www.fireeye.com/blog/technical/botnetactivities-research/2013/08/breaking-down-the-china-chopper-web-shellpart-i.html; reference:url,www.fireeye.com/blog/technical/botnetactivities-research/2013/08/breaking-down-the-china-chopper-web-shellpart-ii.html;
reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5
A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity;
sid:27966; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARECNC Win.Backdoor.Chopper web shell connection";
http_header; content:"caidao="; fast_pattern:only; http_client_body;
pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi"; metadata:impact_flag

sid:27967; rev:2;)
http_header; content:"=Execute"; nocase; http_client_body;
content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body;
sid:27968; rev:2;)
Win.Trojan.Kuluoz outbound command"; flow:to_server,established;
content:"/index.php?"; http_uri; content:"-dsafe_mode"; distance:0;
http_uri; content:"-ddisable_functions"; distance:0; http_uri; content:"dallow_url_fopen"; distance:0; http_uri; content:"-dallow_url_include";
distance:0; http_uri; content:"-dauto_prepend_file"; distance:0;
http_uri; content:"echo.txt"; detection_filter:track by_src, count 20,
seconds 60; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f
1c54dd1aa20ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity;
sid:28005; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWAREOTHER Win.Trojan.Kuluoz outbound download request";
flow:to_server,established; content:"?message="; fast_pattern:only;
http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U";
service http; reference:url,malwaremustdie.blogspot.com/2013/09/302redirector-new-cushion-attempt-to.html; classtype:trojan-activity;
sid:28006; rev:1;)
BLYPT installer startupkey outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=startupkey_"; fast_pattern:only; http_uri;
community, service http; reference:url,blog.trendmicro.com/trendlabssecurity-intelligence/blypt-a-new-backdoor-family-installed-via-javaexploit; classtype:trojan-activity; sid:28007; rev:1;)

BLYPT installer reuse outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=reuse"; fast_pattern:only; http_uri;
BLYPT installer configkey outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=configkey"; fast_pattern:only; http_uri;
BLYPT installer tserror outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=tserror_"; fast_pattern:only; http_uri;
BLYPT installer createproc outbound traffic"; flow:to_server,established;
content:"/index.aspx?info=createproc_"; fast_pattern:only; http_uri;
flow:to_server,established; content:"from=%20Nome..:"; depth:15;
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT
Blackholev2 exploit kit landing page"; flow:to_client,established;
file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|
3A|1px|3B|"; fast_pattern:only; metadata:ruleset community, service http;
Blackholev2/Cool exploit kit exploit download attempt";
flow:to_server,established; urilen:50<>250; content:"GET"; http_method;
content:" Java/1."; fast_pattern:only; http_header; content:".php?";
http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]
{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\!\*\w-]+=[\!\*\w-]
+&[\*\!\w-]+=[\!\*\w-]+&[\!\*\w-]+=[\!\*\w-]+&[\
(\)\!\*\w-]+=[\!\*\w-]+&[\!\*\w-]+=[\!\*\w-]+$/U";
sid:28028; rev:5;)
Win.Ransomware.Urausy variant outbound connection";
flow:to_server,established; urilen:>95,norm; content:"User-Agent|3A|
Opera/10.80 |28|Windows NT 5.1|3B| U|3B| Edition Yx|3B| en|29|

Presto/2.9.168 Version/11.52|0D 0A|"; fast_pattern:only; pcre:"/\x2f[a-z_]{90,}\x2e(html|php)$/U"; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e
2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojanactivity; sid:28033; rev:2;)
for known malware domain heftyzonealarm.info - Win.Ransomware.Urausy";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|heftyzonealarm|04|
for known malware domain blackicemaccom.biz - Win.Ransomware.Urausy";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|blackicemaccom|03|
biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
for known malware domain lealemon.xxuz.com - Win.Ransomware.Urausy";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|lealemon|04|xxuz|03|
com|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
Win.Trojan.Caphaw variant outbound connection";
flow:to_server,established; content:"/ping.html?r="; fast_pattern:only;
http_uri; content:!"/utils/"; http_uri; metadata:impact_flag red, policy
http; reference:url,research.zscaler.com/2013/09/a-new-wave-ofwin32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:4;)
Win.Trojan.CryptoLocker variant connection"; flow:to_server,established;
content:"/crypt_1_sell"; fast_pattern:only; http_uri;
pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a0
0e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity;
sid:28044; rev:3;)
Win.Trojan.Napolar variant outbound connection"; flow:to_server,
established; content:"POST"; http_method; content:"v="; http_client_body;
content:"|26|u="; within:3; distance:3; http_client_body; content:"|26|
c="; distance:0; http_client_body; content:"|26|s={"; distance:0;
http_client_body; content:"}|26|w="; within:4; distance:36;

reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a
51848b8c7d64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity;
sid:28079; rev:3;)
Win.Trojan.Napolar data theft"; flow:to_server,established;
content:".exe&h="; fast_pattern:only; http_client_body; content:"p=";
depth:2; http_client_body; metadata:impact_flag red, policy security-ips
reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bed
b654b50236f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity;
sid:28080; rev:2;)
Win.Trojan.Banload variant outbound connection";
flow:to_server,established; content:"/v22/mutabixa/"; fast_pattern:only;
reference:url,www.nyxbone.com/malware/banload.html; classtype:trojanactivity; sid:28105; rev:3;)
Win.Trojan.Banload information upload"; flow:to_server,established;
content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0;
http_uri; content:"&url="; distance:0; http_uri; metadata:impact_flag
Win.Trojan.Banload download"; flow:to_server,established; content:".jpg";
http_uri; content:"User-Agent|3A| runddll32.exe"; fast_pattern:only;
Win.Trojan.Fareit variant outbound connection - /default.htm GET
Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET";
http_method; content:"/default.htm"; fast_pattern:only; http_uri;
content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/
[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community,
service http;
reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa63
4484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity;
sid:28114; rev:1;)
Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted
Payload"; flow:to_server,established; urilen:9; content:"GET";
http_method; content:"/file.htm"; fast_pattern:only; http_uri;
service http;
sid:28115; rev:1;)

Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted
http_method; content:"/home.htm"; fast_pattern:only; http_uri;
service http;
sid:28116; rev:1;)
Win.Trojan.Fareit variant outbound connection - /install.htm GET
http_method; content:"/install.htm"; fast_pattern:only; http_uri;
service http;
sid:28117; rev:1;)
Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted
http_method; content:"/login.htm"; fast_pattern:only; http_uri;
service http;
sid:28118; rev:1;)
Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted
http_method; content:"/search.htm"; fast_pattern:only; http_uri;
service http;
sid:28119; rev:1;)
Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted
http_method; content:"/start.htm"; fast_pattern:only; http_uri;
service http;
sid:28120; rev:1;)
Win.Trojan.Fareit variant outbound connection - /welcome.htm GET
http_method; content:"/welcome.htm"; fast_pattern:only; http_uri;

service http;
sid:28121; rev:1;)
Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted
http_method; content:"/index.htm"; fast_pattern:only; http_uri;
service http;
sid:28122; rev:1;)
Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted
http_method; content:"/setup.htm"; fast_pattern:only; http_uri;
service http;
sid:28123; rev:1;)
Win.Trojan.Conficker variant connection"; flow:to_server,established;
urilen:11; content:"/search?q="; fast_pattern:only; http_uri;
content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT
5.1|3B| SV1|3B| .NET CLR 1.1.4322)"; http_header; content:"|0D 0A|Pragma:
no-cache|0D 0A|"; http_header; content:!"Accept"; http_header;
pcre:"/^\/search\?q=[0-9]$/Umi"; metadata:impact_flag red, policy
reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0
d85a20a7f4d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity;
sid:28147; rev:3;)
Win.Trojan.Mevade variant outbound connection";
flow:to_server,established; content:"|0D 0A|uuid: "; fast_pattern:only;
http_header; content:!"User-Agent:"; http_header; pcre:"/[^\n -~\r]
{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda
4027277b696b6a06889ed52751b39f54/analysis/; classtype:trojan-activity;
sid:28148; rev:1;)
malware domain kievandmoskaustt.in"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|10|kievandmoskaustt|02|in|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe401
3f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity;
sid:28152; rev:1;)

Win.Trojan.Foreign variant outbound connection - /html2/";
flow:to_server,established; urilen:7; content:"POST"; http_method;
content:"/html2/"; fast_pattern:only; http_uri; content:!"AcceptLanguage:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy
sid:28153; rev:2;)
Win.Trojan.Foreign variant outbound connection - MSIE 7.1";
flow:to_server,established; content:"POST"; http_method; content:"|3B|
MSIE 7.1|3B 20|"; fast_pattern:only; http_header; content:!"AcceptLanguage:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy
sid:28154; rev:2;)
Win.Trojan.Foreign variant outbound connection - MSIE 7.2";
flow:to_server,established; content:"POST"; http_method; content:"|3B|
MSIE 7.2|3B 20|"; fast_pattern:only; http_header; content:!"AcceptLanguage:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy
sid:28155; rev:2;)
Linkury outbound time check"; flow:to_server,established; dsize:72;
urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|
Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset
reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6
bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojanactivity; sid:28156; rev:2;)
Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established;
content:"/info.php?message="; fast_pattern:only; http_uri;
content:!"Referer:"; http_header; metadata:impact_flag red, policy
reference:url,urlquery.net/report.php?id=5117077;
reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-ofstolen-web-servers/; classtype:trojan-activity; sid:28192; rev:2;)
malware domain- Win.Vobfus worm variant"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|03|ns1|0A|boxonline"; fast_pattern:only;
pcre:"/\x03ns1\x0aboxonline[\x31-\x33]\x03(com|net|org)\x00/";
service dns;
reference:url,www.virustotal.com/en/file/451318847bae50e855299a1878d9cbd7
4e7467bfff8df396e886732254fc3ade/analysis/1380827494/; classtype:trojanactivity; sid:28193; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVERWEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server,
established; content:"install/upgrade.php"; fast_pattern:only; http_uri;

content:"firstrun=false"; http_client_body; content:"&customerid=";
http_client_body; content:"username%5d="; http_client_body;
content:"password%5d="; http_client_body; metadata:ruleset community,
service http; reference:url,www.net-security.org/secworld.php?id=15743;
Blackholev2/Cool exploit kit payload download attempt";
flow:to_server,established; urilen:50<>150; content:" Java/1.";
fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:
[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?
[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:ruleset community, service
Win.Trojan.KanKan variant connection"; flow:to_server,established;
content:"/?u="; depth:4; http_uri; content:"&u2="; http_uri;
content:"&u5=inststart"; http_uri; content:"NSIS_Inetc (Mozilla)";
http;
reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4
a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity;
sid:28242; rev:3;)
Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established;
content:"/get.php?invite="; fast_pattern:only; http_uri; content:"AcceptEncoding: gzip"; http_header; pcre:"/^/get.php\?invite=.*?=$/mU";
http; reference:url,urlquery.net/search.php?q=get.php%3Finvite
%3D&type=string&start=2013-10-01&end=2013-10-16&max=50;
reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9
d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity;
sid:28255; rev:1;)
Win.Trojan.hdog connectivity check-in version 2";
flow:to_server,established; content:"/?gws_rd=cr"; fast_pattern:only;
http_uri; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; content:"|3B
20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header;
reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0
d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/;
0e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity;
sid:28285; rev:1;)
Blackholev2/Cool exploit kit exploit download attempt";
flow:to_server,established; urilen:50<>150; content:" Java/1.";
fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:
[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?
[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[
ab10]+$/U"; metadata:ruleset community, service http; classtype:trojanactivity; sid:28291; rev:2;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request

www.xiaopijia.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|03|www|09|xiaopijia|03|com|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a
79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity;
sid:28293; rev:1;)
www.akwm139.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|03|www|07|akwm139|03|com|00|"; fast_pattern:only;
sid:28294; rev:1;)
www.1860tour.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|03|www|08|1860tour|03|com|00|"; fast_pattern:only;
sid:28295; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request ghjgf.info
- Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|
www|05|ghjgf|04|info|00|"; fast_pattern:only; metadata:impact_flag red,
service dns;
sid:28296; rev:1;)
malware domain handjobheats.com - Win.Trojan.Injector"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0C|handjobheats|03|com|00|";
reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE
19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity;
sid:28297; rev:1;)
Win.Trojan.Agent variant connection"; flow:to_server,established;
content:"/status/?&cmp="; fast_pattern; http_uri; content:"&src=";
distance:0; http_uri; content:"&status=start"; distance:0; http_uri;
content:!"User-Agent: "; http_uri; content:!"Accept"; http_uri;
reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef9282027
24680d46ee3524983ec6962b4061813c/analysis/1381409595/; classtype:trojanactivity; sid:28300; rev:3;)
http_header; content:"FromBase64String"; http_client_body; content:"z";
within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi";

sid:28323; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE
FakeAV runtime detection"; flow:to_server,established; content:"&affid=";
fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri;
content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri;
content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri;
content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri;
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOROBFUSCATION large number of calls to chr function - possible sql
injection obfuscation"; flow:established,to_server; content:"GET";
http_method; content:"CHR("; nocase; http_uri; content:"CHR(";
distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase;
http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR(";
reference:url,isc.sans.org/diary.html?storyid=3823; classtype:webapplication-attack; sid:28344; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOROBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool
attack"; flow:to_client,established; file_data; content:"ps=|22|split|22
3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop,
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOROBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack";
flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|
ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop,
malware domain goobzo.com - Kazy Trojan"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|06|goobzo|03|com|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e063
1e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity;
sid:28404; rev:1;)
Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri;
content:"&pixGuid="; distance:0; http_uri; content:"&ver="; distance:0;
http_uri; content:"&rnd="; distance:0; http_uri; content:!"Accept";

sid:28405; rev:1;)
Win.Trojan.Kazy variant outbound connection"; flow:to_server,established;
content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only;
content:"|3B| MSIE "; http_header; content:!"Accept"; http_header;
content:"|29 0D 0A|Host: "; distance:0; http_header;
pcre:"/^GET\x20\x2f[a-z]
{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e
]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]
{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/";
service http;
sid:28406; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOROBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool
attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|
22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|
e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|";
sid:28420; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOROBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool
attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|
omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy
Glazunov exploit kit landing page"; flow:to_client,established;
file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B
20|"; within:50; content:"=|27|param|27 3B 20|"; within:50;
content:".zip|27 3B| </script>"; distance:0;
pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop,
reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-ofglazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojanactivity; sid:28428; rev:2;)
Glazunov exploit kit outbound jnlp download attempt";
flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern;
http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]
{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy security-ips
reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-ofglazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojanactivity; sid:28429; rev:2;)

Glazunov exploit kit zip file download"; flow:to_server,established;
content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header;
pcre:"/^\/\d+/\d\.zip$/U"; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:cve,20132471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasonsof-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojanactivity; sid:28430; rev:2;)
for known malware domain mssql.maurosouza9899.kinghost.net - Win.Symmi
Trojan"; flow:to_server; content:"|05|mssql|0E|maurosouza9899|08|
kinghost|03|net"; fast_pattern:only; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05
f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity;
sid:28445; rev:2;)
Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established;
content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|
00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|
i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |
00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only;
drop, ruleset community;
sid:28446; rev:1;)
Sakura exploit kit exploit payload retrieve attempt";
flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only;
http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U";
DeputyDog diskless method outbound connection";
flow:to_server,established; content:"User-Agent: lynx|0D 0A|";
fast_pattern:only; http_header; content:"POST"; http_method;
pcre:"/^\x2f[0-9a-f]+$/iU"; metadata:impact_flag red, policy balanced-ips
reference:cve,2013-3918; reference:url,technet.microsoft.com/enus/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493;
rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443]
(msg:"MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection";
flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT
6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0";
content:"Content-Disposition: form-data|3B| name=|22|key|22 3B|
filename=|22|key.bin|22|"; fast_pattern:only; content:"ContentDisposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|
22|"; content:"Content-Type: multipart/form-data|3B| boundary=";
pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red, policy
reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-
and-its-new-encryption-scheme.html;
reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2b
e03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity;
sid:28538; rev:4;)
malware domain lovesyr.sytes.net - Win.Worm Dunhihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|lovesyr|05|sytes|03|net|00|";
reference:url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89
c86662bad9201913c5317f6e3e7841d9/analysis/; classtype:trojan-activity;
sid:28539; rev:1;)
malware domain dkxszh.org"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|06|dkxszh|03|org|00|"; fast_pattern:only; metadata:impact_flag
reference:url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b13594
7823c91a712bb1c3e289168c973a6ce0/analysis/; classtype:trojan-activity;
sid:28540; rev:1;)
Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established;
urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding:
identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: ";
fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: ";
pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/analisis//file/eeaeb1506d805271b5147c
e911df9c264d63e4d229de4464ef879a83fb225a40/analysis/; classtype:trojanactivity; sid:28541; rev:2;)
Win.Trojan.Conficker variant outbound connection";
flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|
0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT
5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control:
no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red,
service http; reference:url,www.sans.org/securityresources/malwarefaq/conficker-worm.php; classtype:trojan-activity;
sid:28542; rev:1;)
Win.Trojan.Conficker variant outbound connection";
5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: nocache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
http; reference:url,www.sans.org/security-resources/malwarefaq/confickerworm.php; classtype:trojan-activity; sid:28543; rev:1;)
# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN
inbound probing for IPTUX messenger port "; flow:to_server;
content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7;
distance:9; metadata:ruleset community; reference:url,github.com/iptuxsrc/iptux; classtype:misc-activity; sid:28552; rev:1;)

Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted
http_method; content:"/main.htm"; fast_pattern:only; http_uri;
[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop,
sid:28553; rev:1;)
Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted
http_method; content:"/online.htm"; fast_pattern:only; http_uri;
[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop,
sid:28554; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL
Slammer worm propagation attempt inbound"; flow:to_server; content:"|
04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock";
content:"send"; metadata:impact_flag red, ruleset community;
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS
query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2;
offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2;
content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative;
metadata:policy security-ips drop, ruleset community, service dns;
reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempteddos; sid:28556; rev:2;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS
Malformed DNS query with HTTP content"; flow:to_server; content:"|54
20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy
security-ips drop, ruleset community, service dns;
reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity;
sid:28557; rev:2;)
Win.Trojan.Zeus outbound connection"; flow:to_server,established;
urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|AcceptLanguage:"; depth:45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|";
fast_pattern; content:"google.com|0D 0A|"; http_header; content:"|3B 20|
MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header;
0e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity;
sid:28800; rev:3;)
Win.Trojan.Bancos outbound connection"; flow:to_server,established;
urilen:17<>27; content:"ip-who-is.com|0D 0A|"; fast_pattern:only;

http_header; content:"/locate-ip/"; depth:11; http_uri; content:"UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header;
reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde91405
9dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojanactivity; sid:28802; rev:3;)
Win.Trojan.Injector inbound connection"; flow:to_client,established;
file_data; content:"UPDATE|7C|"; depth:7; pcre:"/ÛPDATE\|[0-9]\.[0-9]\.
[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defc
e5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojanactivity; sid:28803; rev:4;)
Win.Trojan.Injector outbound connection"; flow:to_server,established;
content:"|0D 0A 0D 0A|&nome="; fast_pattern:only; http_client_body;
content:"conteudo="; depth:9; http_client_body; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defc
e5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojanactivity; sid:28804; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET 2090 (msg:"MALWARE-CNC
Win.Trojan.Palevo outbound connection"; flow:to_server; dsize:21;
content:"|00 00|"; depth:2; offset:19; metadata:impact_flag red, policy
balanced-ips drop, policy security-ips drop, ruleset community;
reference:url,palevotracker.abuse.ch/?ipaddress=209.222.14.3;
reference:url,palevotracker.abuse.ch/?ipaddress=31.170.179.179;
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE potential malware download - single digit .exe file download";
flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only;
pcre:"/\/[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy securityips drop, ruleset community, service http;
reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D
%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400;
Win.Trojan.Injector variant outbound communication";
flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|
User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|";
http_header; content:")|0D 0A|Host: "; distance:0; http_header;
content:!"Accept"; http_header; metadata:impact_flag red, policy
http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe
%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400;
reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0
f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity;
sid:28807; rev:1;)
Win.Trojan.Dofoil inbound connection attempt";
flow:to_client,established; content:"|3B 20|filename=exe.exe|0D 0A|";

http;
reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f
3a094fe8925278451713768d938bec86/analysis/; classtype:trojan-activity;
sid:28809; rev:4;)
Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No
Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri;
pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}
[^\r\n]*?\x2Ebiz\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header;
content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B
20|"; http_header; content:"|2E|biz|0D 0A|"; fast_pattern; nocase;
reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse);
Win.Trojan.Gozi/Neverquest variant outbound connection";
flow:to_server,established; content:"/post.aspx?forumID=";
fast_pattern:only; http_uri; content:"|0D 0A|URL: http"; depth:11;
offset:17; http_client_body; content:!"Accept"; http_header;
pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/P"; metadata:impact_flag red,
service http;
sid:28814; rev:2;)
Win.Trojan.Gozi/Neverquest variant outbound connection";
flow:to_server,established; content:"forumdisplay.php?fid=";
fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body;
content:!"Accept"; http_header; pcre:"/îd\x3d[A-F\d]{32}(\x26info\x3d[AF\d]{24})?$/P"; metadata:impact_flag red, policy balanced-ips drop,
sid:28815; rev:2;)
alert tcp any any -> any $HTTP_PORTS (msg:"BLACKLIST User-Agent known
malicious user-agent string Zollard"; flow:to_server,established;
content:"User-Agent|3A| Zollard|0D 0A|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518b
f9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity;
sid:28852; rev:2;)
User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot";
flow:to_server,established; content:"User-Agent|3A| z00sAgent";
http;
reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb4
68b8cd1bd5873dad08351309e13af9e5/analysis/1383673331/; classtype:trojanactivity; sid:28859; rev:1;)

# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR
Zollard variant outbound connection attempt"; flow:to_server,established;
content:".zollard/"; fast_pattern:only; metadata:impact_flag red, ruleset
community, service telnet;
reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-myinternet-of-things.html; classtype:trojan-activity; sid:28913; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC
Win.Trojan.Symmi variant network connectivity check";
flow:to_server,established; content:"Host: bit.ly|0D 0A|Accept:
text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only;
sid:28918; rev:2;)
Win.Trojan.Symmi variant network connectivity check";
flow:to_server,established; content:"Host: bitly.com|0D 0A|Accept:
text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab
1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity;
sid:28919; rev:2;)
Win.Trojan.Fakeav variant outbound data connection";
flow:to_server,established; urilen:>150; content:"/?"; depth:2; http_uri;
content:"Firefox/4.0b8pre|0D 0A|"; fast_pattern:only; http_header;
pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/siU"; metadata:impact_flag red,
malware domain appropriations.co.cc"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|0E|appropriations|02|co|02|cc|00|";
dns; classtype:trojan-activity; sid:28938; rev:1;)
malware domain havingbeothers.co.cc"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|0E|havingbeothers|02|co|02|cc|00|";
dns; classtype:trojan-activity; sid:28939; rev:1;)
Win.Trojan.Rovnix malicious download"; flow:to_server,established;
content:"/config.php?"; fast_pattern:only; http_uri; content:"version=";
http_uri; content:"user="; http_uri; content:"server="; http_uri;
content:"id="; http_uri; content:"crc="; http_uri; content:"id=";
reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Co
ntroller/17180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-
reloaded-new-step-of-evolution/; classtype:trojan-activity; sid:28940;

rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE exe.exe download"; flow:to_server,established; urilen:>7;
content:"/exe.exe"; fast_pattern:only; http_uri; metadata:ruleset
community, service http; reference:url,urlquery.net/search.php?q=%5C%2F
%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D
%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400;
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLACKLIST DNS reverse
lookup response to malicious domain .dataclub.biz - Win.Trojan.Bunitu.G";
flow:to_client; content:"|08|dataclub|03|biz"; fast_pattern:only;
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLACKLIST DNS reverse
lookup response to malicious domain hosted-by.leaseweb.com Win.Trojan.Bunitu.G"; flow:to_client; content:"|09|hosted-by|08|leaseweb|
03|com"; fast_pattern:only; metadata:impact_flag red, ruleset community,
service dns; classtype:trojan-activity; sid:28951; rev:1;)
to suspicious domain ns0.pollosm.me.uk - Win.Trojan.Bunitu.G";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns0|07|pollosm|02|me|
02|uk|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
to suspicious domain ns1.pollosm.me.uk - Win.Trojan.Bunitu.G";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|07|pollosm|02|me|
02|uk|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
malware domain fenhelua.com"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|08|fenhelua|03|com"; fast_pattern:only; metadata:impact_flag
community, service dns; reference:url,www.sophos.com/ja-jp/threatcenter/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailedanalysis.aspx; classtype:trojan-activity; sid:28959; rev:1;)
Win.Trojan.Alurewo outbound connection"; flow:to_server,established;
content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid=";
http_uri; content:"&id="; distance:0; http_uri; content:"&os="; within:4;
distance:36; http_uri; metadata:impact_flag red, policy balanced-ips
reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/virusesand-spyware/Troj~Agent-AFDE/detailed-analysis.aspx;
reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d511263
5fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity;
sid:28960; rev:2;)
Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established;
content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|";
fast_pattern:only; http_client_body; content:"|0D 0A|TP=";
http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body;

reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fc
c165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojanactivity; sid:28976; rev:1;)
Win.Trojan.Agent.DF - User-Agent Missing Bracket";
flow:to_server,established; content:"|3B 20|Windows NT 5.0|0D 0A|Host:";
fast_pattern:only; http_header; content:" HTTP/1.1|0D 0A|Connection:
Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/";
reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fc
c165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojanactivity; sid:28977; rev:1;)
malware domain teamimmsky.de"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|04|team|06|immsky|02|de|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd8
77b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojanactivity; sid:28980; rev:1;)
malware domain wifi-usbx.me"; flow:to_server; byte_test:1,!&,0xF8,2;
content:"|09|wifi-usbx|02|me|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/902760be507dbaa5e6b26e1183d10710
617b53441601624e4f36d079f71b2a0a/analysis/1387181593/; classtype:trojanactivity; sid:28981; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC
Win.Worm.Steckt IRCbot requesting URL through IRC";
flow:to_client,established; content:"JOIN |3A|#"; content:"!dl http://";
policy security-ips drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756
ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity;
sid:28982; rev:1;)
Win.Trojan.Steckt IRCbot executable download";
flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|
compatible|29 0D 0A|"; fast_pattern:only; http_header;
content:"/launch.php"; http_uri; content:"?f="; http_uri; content:"&s=";
distance:0; http_uri; content:"&is_direct="; distance:0; http_uri;
sid:28983; rev:3;)
Win.Worm.Steckt IRCbot executable download"; flow:to_server,established;
content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|";
fast_pattern:only; http_header; content:"/direct.php"; http_uri;
content:"?f="; http_uri; content:"&s="; http_uri;

pcre:"/\x2Fdirect\.php\x3Ff=[0-9]{8}\x26s=[a-z0-9]{3}\.[a-z]{1,4}/U";
sid:28984; rev:4;)
Win.Worm.Steckt IRCbot executable download"; flow:to_server,established;
content:"/site2/"; http_uri; content:"60gp="; http_cookie;
content:"60gpBAK="; http_cookie; metadata:impact_flag red, policy
http;
sid:28985; rev:2;)
Win.Worm.Neeris IRCbot variant outbound connection";
flow:to_server,established; content:"JOIN #biz abc|0D 0A|"; depth:15;
drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459
c55ff448cf5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojanactivity; sid:28986; rev:2;)
Win.Worm.Steckt IRCbot variant outbound connection";
flow:to_server,established; content:"JOIN #n jobs|0D 0A|"; depth:14;
drop, ruleset community, service irc;
reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615
ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/;
Win.Worm.Steckt IRCbot variant outbound connection";
flow:to_server,established; content:"JOIN #test1|20 7C 0D 0A|JOIN #test2|
20 7C 0D 0A|JOIN #test3 (null)|0D 0A|"; depth:50; metadata:impact_flag
community, service irc;
reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615
ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/;
malware domain lucas.digitaldesk.biz - Win.Banload"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|lucas|0B|digitaldesk|03|biz|00|";
reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2a
dd0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity;
sid:29030; rev:1;)

Win.Trojan.Banload variant inbound communication attempt";
flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|";
fast_pattern:only; http_header; content:"|0D 0A|Location:
https://dl.dropboxusercontent.com/"; http_header;
pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/
[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2a
dd0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity;
sid:29031; rev:2;)
malware domain jiang-zem.in - Win.Trojan.Zeus"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|jiang-zem|02|in|00|";
urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri;
content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|";
distance:0; http_header; content:!"Accept-Encoding:"; http_header;
sid:29127; rev:1;)
CritX exploit kit payload download attempt"; flow:to_client,established;
content:".exe|0D 0A|"; fast_pattern:only; http_header;
content:"filename="; http_header; content:".exe|0D 0A|"; within:6;
distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]
{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy
alert tcp any any -> any $HTTP_PORTS (msg:"BLACKLIST User-Agent known
malicious user-agent string fortis"; flow:to_server,established;
content:"User-Agent: fortis|0D 0A|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b060
17b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity;
sid:29174; rev:1;)
Win.Trojan.Androm variant outbound connection";
flow:to_server,established; content:"/se/gate.php"; http_uri;
content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|
0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-formurlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: ";
fast_pattern:only; pcre:"/\x3d\x0a$/P"; metadata:policy balanced-ips
reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65
171cf6cf9a732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity;
sid:29216; rev:1;)
malware domain 722forbidden1.sytes.net - Win.Trojan.MSIL variant outbound
connection "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|
722forbidden1|05|sytes|03|net"; fast_pattern:only; metadata:impact_flag
community, service dns; reference:url,fileanalyzer.net/analysis/1076/5370/0/html;
reference:url,www.virustotal.com/en/file/e2aa97c947cdf38e76749e863f73e31c
94da76d84ba8b3a8a4342c253b2b934b/analysis/; classtype:trojan-activity;
sid:29217; rev:1;)
Win.Trojan.Strictor variant outbound connection";
flow:to_server,established; urilen:19,norm;
content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri;
content:!"Accept-Language:"; http_header; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57
726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojanactivity; sid:29220; rev:1;)
Win.Trojan.Graftor variant outbound connection";
flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?=";
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea
62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity;
sid:29259; rev:1;)
flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?=";
reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea
62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity;
sid:29260; rev:1;)
Win.Trojan.Dropper variant outbound connection";
flow:to_server,established; urilen:19,norm;
content:"/FileToDownload.exe"; fast_pattern:only; http_uri;
content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept";
http_header; content:!"User-Agent"; http_header; metadata:impact_flag
community, service http; reference:url,fileanalyzer.net/analysis/1087/5386/0/html;
reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e010
7f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity;
sid:29261; rev:1;)
malware domain bog5151.zapto.org - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|bog5151|05|zapto|03|org|00|";
reference:url,www.virustotal.com/en/file/fc274838271cc9e28d8c3c9c925f38c0
7da14c13f3df56f41450f514904ae876/analysis/; classtype:trojan-activity;
sid:29262; rev:1;)
malware domain kara.no-ip.info - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|kara|05|no-ip|04|info|00|";
reference:url,www.virustotal.com/en/file/e3cbce74e7fa73b931283b0187f237d0
acb4ea3e1f5ce2be4af83493a6bef460/analysis/; classtype:trojan-activity;
sid:29263; rev:1;)
Win.Trojan.Graftor variant inbound connection";
flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D
content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a
3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity;
sid:29300; rev:3;)
Win.Trojan.Zusy variant outbound connection"; flow:to_server,established;
content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern;
http_client_body; content:"&tmp="; distance:0; http_client_body;
content:"&stat="; distance:0; http_client_body; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a9
9732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojanactivity; sid:29349; rev:1;)
# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dropper inbound encrypted traffic";
flow:to_client,established; dsize:10<>20; content:"|05 29 00 00 00 05 29
00 00 00|"; fast_pattern:only; metadata:ruleset community;
reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402cca
f7095fb5b7aad2e96c8109290da453cb/analysis/;
reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e2
95da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity;
sid:29378; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC
Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration";
flow:to_server,established; dsize:>1440; content:"|03 2B 82 86 02 A0
05|"; fast_pattern:only; metadata:ruleset community;
sid:29379; rev:1;)
Win.Trojan.Dropper outbound encrypted traffic";
flow:to_server,established; dsize:5; content:"|05 29 00 00 00|";
fast_pattern:only; metadata:ruleset community;
sid:29380; rev:1;)
urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection:
Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B|
MSIE "; http_header; content:"google."; http_header; content:!"Accept-";
http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag
reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374
c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity;
sid:29395; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM
Potential phishing attack - .zip receipt filename download with .exe name
within .zip the same"; flow:to_client,established; content:"Receipt";
fast_pattern:only; http_header; content:".zip"; http_header;
pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi";
file_data; content:"PK"; depth:2; content:".exe"; within:50;
sid:29396; rev:1;)
Potential phishing attack - .zip shipping filename download with .exe
name within .zip the same"; flow:to_client,established;
content:"Shipping"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]
{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe";
within:50; metadata:ruleset community, service http; classtype:trojanactivity; sid:29397; rev:1;)
Potential phishing attack - .zip voicemail filename download with .exe
content:"voicemail"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]
Potential phishing attack - .zip statement filename download with .exe
content:"statement"; fast_pattern:only; http_header; content:".zip";
http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]
Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32;
content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset
community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-atthe-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/afirst-look-at-the-target-intrusion-malware/; classtype:successful-reconlimited; sid:29454; rev:1;)
Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32;
content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:ruleset

Unusual PING detected"; icode:0; itype:8; fragbits:!M;
content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32;
content:!"0123456789abcdefghijklmnopqrstuv"; depth:32;
content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2";
content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds";
depth:72; metadata:ruleset community;
reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-targetmalware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-lookat-the-target-intrusion-malware/; classtype:successful-recon-limited;
sid:29456; rev:2;)
Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32;
content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:ruleset
Win.Trojan.Fexel variant outbound connection";
flow:to_server,established; content:"|0A|Agtid|3A 20|"; content:"08x|0D
0A|"; within:5; distance:8; metadata:impact_flag red, policy security-ips
reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33
dd45f638733e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity;
sid:29459; rev:2;)
for known malware domain antiq.scifi.ro - Linux.Backdoor.Shellbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|antiq|05|scifi|02|ro|
00|"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c46
0c7c9f7d576b62444114306effb4023d/analysis/1390763713/;
reference:url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46
aa7c305a6408d952018b9d1f5f5c6fdb/analysis/1390763695/; classtype:trojanactivity; sid:29567; rev:1;)
for known malware domain funny.evils.in - Linux.Backdoor.Shellbot";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|funny|05|evils|02|in|
00|"; metadata:impact_flag red, policy balanced-ips drop, policy
0c7c9f7d576b62444114306effb4023d/analysis/1390763713/;
reference:url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46
aa7c305a6408d952018b9d1f5f5c6fdb/analysis/1390763695/; classtype:trojanactivity; sid:29568; rev:1;)
Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established;
content:"JOIN|20|#vnc|0A|"; depth:10; content:"PRIVMSG|20|#vnc|20 3A|";
within:14; content:"status checking program online"; within:30;
distance:7; nocase; metadata:impact_flag red, policy balanced-ips drop,

policy security-ips drop, ruleset community, service irc;
0c7c9f7d576b62444114306effb4023d/analysis/1390763713/; classtype:trojanactivity; sid:29569; rev:2;)
Win.Trojan.DomaIQ variant outbound connection";
flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: ";
fast_pattern:only; content:"/debug/Version/"; depth:15; http_uri;
content:!"Accept"; http_header; content:!"User-Agent:"; http_header;
drop, ruleset community, service http; reference:url,fileanalyzer.net/analysis/1546/6325/0/html#network;
reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330f
ce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojanactivity; sid:29664; rev:2;)
flow:to_server,established; content:"&bolausado"; fast_pattern:only;
http_client_body; content:"rotina="; depth:7; http_client_body;
content:"&casa="; distance:0; http_client_body; content:"&idcliente";
distance:0; http_client_body; content:"&outro="; distance:0;
reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6
332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity;
sid:29665; rev:1;)
Win.Trojan.Linkup outbound connection"; flow:to_server,established;
urilen:20; content:"POST"; http_method; content:"/uplink.php?logo.jpg";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0";
http_header; content:"token="; depth:6; http_client_body;
reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomwarelinkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity;
sid:29666; rev:3;)
User-Agent known malicious user-agent string MSIE 4.01 Win.Trojan.Careto"; flow:to_server,established; content:"Mozilla/4.0 |28|
compatible|3B| MSIE 4.01|3B| Windows NT|29 0D 0A|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d
4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity;
sid:29760; rev:2;)
malware domain appleupdt.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|";
sid:29761; rev:1;)
malware domain carrus.gotdns.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com|00|";
sid:29762; rev:1;)
malware domain cherry1962.dyndns.org - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|
03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
sid:29763; rev:1;)
malware domain ctronlinenews.dyndns.tv - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ctronlinenews|06|
dyndns|02|tv|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
sid:29764; rev:1;)
malware domain dfup.selfip.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|org|00|";
sid:29765; rev:1;)
malware domain fast8.homeftp.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org|00|";
sid:29766; rev:1;)
malware domain gx5639.dyndns.tv - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv|00|";
sid:29767; rev:1;)
malware domain helpcenter1it6238.cz.cc - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|helpcenter1it6238|02|
cz|02|cc|00|"; fast_pattern:only; metadata:impact_flag red, policy

dns;
sid:29768; rev:1;)
malware domain helpcenter2br6932.cc - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|11|helpcenter2br6932|02|cc|00|";
sid:29769; rev:1;)
malware domain linkconf.net - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|";
sid:29770; rev:1;)
malware domain mango66.dyndns.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org|00|";
sid:29771; rev:1;)
malware domain msupdt.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com|00|";
sid:29772; rev:1;)
malware domain nav1002.ath.cx - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx|00|";
sid:29773; rev:1;)
malware domain nthost.shacknet.nu - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu|00|";
sid:29774; rev:1;)
malware domain oco-231-ms.xns01.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|oco-231-ms|05|xns01|03|com|00|";
sid:29775; rev:1;)
malware domain pininfarina.dynalias.com - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pininfarina|08|
dynalias|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
sid:29776; rev:1;)
malware domain pl400.dyndns.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org|00|";
sid:29777; rev:1;)
malware domain prosoccer1.dyndns.info - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer1|06|dyndns|
04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
sid:29778; rev:1;)
malware domain redirserver.net - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|";
sid:29779; rev:1;)
malware domain ricush.ath.cx - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx|00|";
sid:29780; rev:1;)
malware domain services.serveftp.org - Win.Trojan.Careto";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|
03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy

dns;
sid:29781; rev:1;)
malware domain sv.serveftp.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org|00|";
sid:29782; rev:1;)
malware domain swupdt.com - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|";
sid:29783; rev:1;)
malware domain takami.podzone.net - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net|00|";
sid:29784; rev:1;)
malware domain tunga.homedns.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org|00|";
sid:29785; rev:1;)
malware domain wqq.dyndns.org - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org|00|";
sid:29786; rev:1;)
malware domain wwnav.selfip.net - Win.Trojan.Careto"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net|00|";
sid:29787; rev:1;)

Win.Trojan.Careto outbound connection"; flow:to_server,established;
content:"Group|3D|"; http_uri; content:"Install|3D|"; http_uri;
content:"Ver|3D|"; http_uri; content:"Ask|3D|"; http_uri; content:"Bn|
3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop,
sid:29788; rev:2;)
Win.Trojan.Careto plugin download"; flow:to_server,established;
content:"/ag/plugin.crx"; fast_pattern:only; http_uri;
sid:29789; rev:2;)
content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri;
sid:29790; rev:2;)
content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri;
sid:29791; rev:2;)
Win.Trojan.Jackpos outbound connection"; flow:to_server, established;
content:"/post"; http_uri; content:"User-Agent: something";
fast_pattern:only; http_header; content:"mac="; http_client_body;
content:"&t1="; distance:0; http_client_body; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf
2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity;
sid:29816; rev:2;)
Win.Trojan.Jackpos outbound connection"; flow:to_server, established;
urilen:10; content:"/post/echo"; fast_pattern:only; http_uri;
content:!"User-Agent:"; http_header; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf
2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity;
sid:29817; rev:2;)
User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq";
flow:to_server,established; content:"User-Agent: TixDll|0D 0A|";

http;
reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcdd
c402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity;
sid:29824; rev:1;)
malware domain commandcenteral.info - Win.Trojan.Adload.dyhq";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|commandcenteral|04|
sid:29825; rev:1;)
malware domain givemefilesnow.info - Win.Trojan.Adload.dyhq";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|givemefilesnow|04|
sid:29826; rev:1;)
malware domain stylefun.info - Win.Trojan.Adload.dyhq"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|stylefun|04|info|00|";
sid:29827; rev:1;)
Win.Trojan.Adload.dyhq variant outbound connection";
flow:to_server,established; content:"/get/?ver="; depth:10; http_uri;
content:"&aid="; distance:0; http_uri; content:"&hid="; distance:0;
http_uri; content:"&rid="; distance:0; http_uri; content:"&data=";
distance:0; http_uri; content:!"Referer:"; http_header;
sid:29828; rev:1;)
HNAP remote code execution attempt"; flow:established,to_server;
urilen:6; content:"/HNAP1"; fast_pattern:only; http_uri;
content:"Authorization: Basic YWRtaW46"; http_header; metadata:policy
http; reference:url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary
%3A+What+we+know+so+far/17633; classtype:attempted-admin; sid:29829;
rev:1;)
content:"POST"; http_method; content:"/tmUnblock.cgi"; fast_pattern:only;
http_uri; content:"Authorization: Basic YWRtaW46"; http_header;
content:"%74%6d%70"; http_client_body; metadata:policy balanced-ips drop,

reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon
%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:1;)
content:"POST"; http_method; content:"/tmUnblock.cgi"; fast_pattern:only;
http_uri; content:"Authorization: Basic YWRtaW46"; http_header;
content:"tmp"; http_client_body; metadata:policy balanced-ips drop,
reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon
%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:1;)
malware domain hattouma12.no-ip.biz - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|hattouma12|05|no-ip|03|biz|00|";
reference:url,www.virustotal.com/en/file/960aee6e11a44bf18a5f224019bd40e3
5112a2f312c220c9aaf0b30c9a5ba084/analysis/; classtype:trojan-activity;
sid:29832; rev:1;)
malware domain sidisalim.myvnc.com - Win.Trojan.Dunihi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|sidisalim|05|myvnc|03|com|00|";
reference:url,www.virustotal.com/en/file/b560a6719a23095cbaeabcff55e8a9dd
8fde1fdf4c428b6261731072eb5256d2/analysis/; classtype:trojan-activity;
sid:29833; rev:1;)
for known malware domain abdnjworm.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|abdnjworm|05|no-ip|
03|biz"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
.aspx?Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2;
for known malware domain abocasse.zapto.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|abocasse|05|zapto|03|
org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain ahmedghost.no-ip.info - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|ahmedghost|05|no-ip|
04|info"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
for known malware domain b-trese.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|b-trese|05|no-ip|03|

biz"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain boucraa.no-ip.org- Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|boucraa|05|no-ip|03|
for known malware domain dd.no-ip.bz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|dd|05|no-ip|02|bz";
for known malware domain debili1.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|debili1|05|no-ip|03|
for known malware domain fuck-all.no-ip.info - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fuck-all|05|no-ip|04|
info"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain hackers1990.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|hackers1990|05|no-ip|
03|org"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain heartbraker.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|heartbraker|05|no-ip|

for known malware domain jnyn-99.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|jnyn-99|05|no-ip|03|
for known malware domain mda.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|mda|05|no-ip|03|org";
for known malware domain mmrick.zapto.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|mmrick|05|zapto|03|
for known malware domain mntm.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|mntm|05|no-ip|03|
for known malware domain mootje01.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|mootje01|05|no-ip|03|
for known malware domain mozaya46415.zapto.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|mozaya46415|05|zapto|
for known malware domain no99.zapto.org - Win.Trojan.Dunihi";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|no99|05|zapto|03|
for known malware domain rouge166821.no-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|rouge166821|05|no-ip|
for known malware domain school-pc.sytes.net - Win.Trojan.Dunihi";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|school-pc|05|sytes|
03|net"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
for known malware domain vanonymous.no-ip.org - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vanonymous|05|no-ip|
for known malware domain vichtorio-israeli.zapto.org Win.Trojan.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|
vichtorio-israeli|05|zapto|03|org"; fast_pattern:only;
for known malware domain zkzak.np-ip.biz - Win.Trojan.Jenxcus";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zkzak|05|np-ip|03|
Win.Trojan.Pirminay variant outbout connection";
flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D
content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a289327
61fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojanactivity; sid:29862; rev:1;)

Win.Trojan.Pirminay variant outbound connection";
flow:to_server,established; urilen:33;
content:"/read/swf/searchProductResult.jsp"; fast_pattern:only; http_uri;
content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core=";
distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a289327
61fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojanactivity; sid:29863; rev:1;)
Redkit exploit kit payload request"; flow:to_server,established;
content:"/download.asp?p="; nocase; http_uri; content:" Java/1.";
fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui";
community, service http; reference:url,www.invincea.com/2014/02/ekiacitadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojanactivity; sid:29864; rev:1;)
Win.Trojan.Kuluoz outbound connection"; flow:to_server,established;
content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/xwww-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B|
WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: ";
fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1";
within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/";
reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2
004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity;
sid:29865; rev:5;)
malware domain 0zz0.com - Win.Trojan.Napolar"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|0zz0|03|com|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22
ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity;
sid:29867; rev:2;)
malware domain www.rekurigo.com - Win.Trojan.Napolar"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|www|08|rekurigo|03|com|00|";
sid:29868; rev:1;)
Win.Trojan.Napolar phishing attack"; flow:to_client,established;
content:"facebook.com.exe"; fast_pattern:only; metadata:policy balancedips drop, policy security-ips drop, ruleset community, service http;
sid:29869; rev:2;)
Win.Trojan.Pony HTTP response connection"; flow:to_client,established;
content:"Content-Length: 16"; http_header; file_data; content:"STATUSIMPORT-OK"; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service http; reference:url,fileanalyzer.net/analysis/1830/6840/0/html;
sid:29870; rev:2;)
malware domain jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|jwqakoy3wdktb0|03|
com|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
Win.Trojan.WEC variant outbound connection"; flow:to_server,established;
dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent:
Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|";
reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3
c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity;
sid:29882; rev:2;)
content:"POST"; http_method; content:"/gate.php"; fast_pattern:only;
http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"AcceptLanguage:"; http_header; content:!"Referer:"; http_header;
content:!"Accept-Encoding:"; http_header; metadata:impact_flag red,
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent
known malicious user-agent string Updates downloader Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A|
Updates downloader|0D 0A|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96
E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity;
sid:29887; rev:3;)
Win.Trojan.Pushdo variant outbound connection";
content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|
Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octetstream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"UserAgent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B|
SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header;
content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D
0A|"; distance:0; http_header; metadata:policy security-ips drop, ruleset
malware domain pibadfixwug.kz - Win.Trojan.Pushdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|pibadfixwug|02|kz|00|";

reference:url,www.virustotal.com/en/file/9f3064634a48216f69d23c0887a71e87
9115a8388617d016239cf825e84e798b/analysis; classtype:trojan-activity;
sid:29894; rev:1;)
Win.Trojan.Bancos variant outbound connection ";
flow:to_server,established; content:"Content-Length: 166"; content:".php
HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-formurlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|
3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v=";
depth:2; http_client_body; content:"&c="; within:7; http_client_body;
pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5
c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity;
sid:29895; rev:1;)
Win.Trojan.ExplorerHijack variant outbound connection";
flow:to_server,established; urilen:12; content:"/prl/el.html";
fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d817
4ee71e00541759eb18a31f959da521a9/analysis/;
reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240
ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity;
sid:29897; rev:3;)
Win.Trojan.Tiny variant outbound connection"; flow:to_server,established;
content:"/ie-error.gif?action=utility"; fast_pattern:only; http_uri;
content:"&os="; http_uri; content:"&error="; distance:0; http_uri;
content:"&rnd="; distance:0; http_uri; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98
f94d5e6b41c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity;
sid:29981; rev:1;)
malware domain drags.su - Win.Trojan.Androm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|drags|02|su|00|"; fast_pattern:only;
171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity;
sid:30067; rev:1;)
content:"/and/image.php"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/4.0|0D 0A|"; http_header; pcre:"/^[a-z\d\x2f\+\x3d]
{10,98}$/Pi"; metadata:impact_flag red, policy security-ips drop, ruleset
171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity;
sid:30068; rev:1;)
for known malware domain smsgrabber.url.ph - Android iBanking/Spy.49";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|smsgrabber|03|url|02|
ph|00|"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166;
reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148
e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity;
sid:30069; rev:1;)
ANDR.Trojan.iBanking outbound connection attempt";
flow:to_server,established; urilen:21; content:"/android/sms/sync.php";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|
2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei=";
distance:0; http_client_body; content:"&iscallhack="; distance:0;
http_client_body; content:"&issmshack="; distance:0; http_client_body;
content:"&isrecordhack="; distance:0; http_client_body;
content:"&isadmin="; distance:0; http_client_body;
content:"&control_number="; distance:0; http_client_body;
sid:30070; rev:1;)
content:"/android/sms/ping.php"; fast_pattern:only; http_uri;
content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header;
sid:30071; rev:1;)
flow:to_server,established; urilen:22; content:"/android/sms/index.php";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|
2F|"; http_header; content:"bot_id="; http_client_body;
content:"&number=&iccid=&model="; distance:0; http_client_body;
content:"&imei="; distance:0; http_client_body; content:"&os=";
distance:0; http_client_body; content:"&control_number="; distance:0;
sid:30072; rev:1;)
Win.Trojan.Gamut configuration download"; flow:to_server,established;
content:"|26|file=SenderClient.conf"; fast_pattern:only; http_uri;

reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdb
ba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity;
sid:30087; rev:1;)
Win.Trojan.Necurs variant outbound connection";
flow:to_server,established; urilen:13; content:"/forum/db.php HTTP/1.1|0D
0A|Content-Type: application/octet-stream|0D 0A|Host: ";
fast_pattern:only; content:!"User-Agent:"; http_header;
content:!"Referer:"; http_header; content:!"Accept"; http_header;
community, service http; reference:url,fileanalyzer.net/analysis/2306/8066/0/html#network;
reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6
a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojanactivity; sid:30091; rev:1;)
Win.Trojan.Uroburos usermode-centric client request";
flow:to_server,established; content:"/1/6b-558694705129b01c0";
fast_pattern:only; http_uri; content:"Connection: Keep-Alive|0D 0A|";
nocase; metadata:impact_flag red, policy balanced-ips drop, policy
connectivity-ips drop, policy security-ips drop, ruleset community,
service http;
reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitep
aper.pdf;
reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/
documents/GData_Uroburos_RedPaper_EN_v1.pdf;
reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d
3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity;
sid:30191; rev:1;)
flow:to_server,established; urilen:14; content:"/tmp/image.php";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|";
http_header; content:!"Accept"; http_header; pcre:"/^[a-z\d\x2b\x2f\x3d]
{48,256}$/iP"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c6
76db3798b733851a6b37ef6b0bc5f3be/analysis; classtype:trojan-activity;
sid:30196; rev:2;)
flow:to_server,established; content:".xpg.com.br|0D 0A|Accept: text/html,
*/*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fb
b58e7014e9d55fbb2e42fd640fee1eac/analysis/; classtype:trojan-activity;
sid:30198; rev:2;)
flow:to_server,established; content:"|0D 0A|User-Agent: Mozilla/5.0

(Windows|3B| U|3B| Windows NT 6.1|3B| pt-BR|3B| rv:1.9.2b5)
Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|"; fast_pattern:only; content:"|
0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; http_header;
content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|
0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6
332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity;
sid:30234; rev:2;)
Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User";
http_header; file_data; content:"BRASIL"; depth:6; fast_pattern;
reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127
dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity;
sid:30255; rev:1;)
Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User";
http_header; file_data; content:"INTERNACIONAL"; depth:13; fast_pattern;
reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127
dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity;
sid:30256; rev:1;)
Win.Trojan.ExplorerHijack variant outbound connection";
flow:to_server,established; urilen:12; content:"/eh.html HTTP/1.1|0D 0A|
Content-Type: text/html|0D 0A|Host: "; fast_pattern:only; content:"|0D
0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B|
Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af5
3ab16c2968ca41f06b900d703a27064e/analysis/1393266939/;
reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311
b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity;
sid:30257; rev:2;)
content:"POST"; http_method; content:"/forumdisplay.php?fid=";
fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body;
content:"&iv="; within:4; distance:36; http_client_body;
http;
reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8
c72799e14248045e467c6568926cb494/analysis/1386078525/;
sid:30258; rev:2;)

Win.Trojan.Strictor variant outbound connection";
flow:to_server,established; content:"/20"; depth:3; http_uri; content:"|
0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
fast_pattern:only; content:".inf"; nocase; http_uri; metadata:impact_flag
reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef
384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojanactivity; sid:30259; rev:2;)
Win.Trojan.Mudrop variant outbound connection";
flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only;
http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma:
no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept";
http_header; content:!"User-Agent:"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dc
ed8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojanactivity; sid:30260; rev:5;)
flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only;
no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept";
flow:to_server,established; content:"lista"; http_uri; content:"|3B|
name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only;
http_client_body; content:".log|22 0D 0A|"; nocase; http_client_body;
content:!"Accept-"; http_header; metadata:policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed9
10d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojanactivity; sid:30262; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC
Win.Trojan.Glupteba.M initial outbound connection";
flow:to_server,established; content:"/stat?"; content:"uptime=";
content:"&downlink="; distance:0; content:"&uplink="; distance:0;
content:"&id="; distance:0; content:"&statpass=bpass"; distance:0;
fast_pattern; content:"&version="; distance:0; content:"&features=";
distance:0; content:"&guid="; distance:0; content:"&comment=";
distance:0; content:"&p="; distance:0; content:"&s="; distance:0;
community, service http; reference:url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity;
sid:30288; rev:2;)

Linux.Trojan.Calfbot outbound connection"; flow:to_server,established;
content:"/b/index.php?id="; fast_pattern:only; http_uri;
content:"&sent="; http_uri; content:"&notsent="; distance:0; http_uri;
content:"&stat="; distance:0; http_uri; metadata:ruleset community,
service http; reference:url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity;
sid:30336; rev:2;)
for known malware domain titan2014.sytes.net - Win.Trojan.Zbot/Bublik";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|titan2014|05|sytes|
03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+sca
m+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875;
reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424e
d03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity;
sid:30481; rev:1;)
alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Zbot/Bublik inbound connection attempt";
flow:to_client,established; content:"E|00|N|00|D|00|S|00|E|00|R|00|V|00|
E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|"; fast_pattern:only;
sid:30482; rev:1;)
Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established;
content:"GET /123456789.functionss"; fast_pattern:only;
sid:30483; rev:2;)
Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established;
dsize:<20; content:"myversion|7C|"; fast_pattern:only;
pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red,
policy balanced-ips drop, policy security-ips drop, ruleset community;
sid:30484; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET
[21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3
heartbeat read overrun attempt"; flow:to_server,established; content:"|18
03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1;

community, service ssl; reference:cve,2014-0160; classtype:attemptedrecon; sid:30510; rev:6;)
[21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1
[21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET
any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt"; flow:to_client,established; content:"|18 03
00|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service ssl;
any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
01|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips
any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response possible ssl heartbleed attempt"; flow:to_client,established; content:"|
18 03 02|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy
ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516;
rev:8;)
18 03 03|"; depth:3; byte_test:2,>,128,0,relative; metadata:policy
ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517;
rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET
[21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3
heartbeat read overrun attempt - vulnerable client response";
flow:to_server,established; content:"|18 03 00|"; depth:3;
byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5;

[21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1
heartbeat read overrun attempt"; flow:to_server,established; dsize:8;
content:"|18 03 02 00 03 01 40 00|"; depth:8; metadata:policy balancedips drop, policy security-ips drop, ruleset community, service ssl;
heartbeat read overrun attempt"; flow:to_server,established; dsize:69;
content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service ssl;
malware domain aaukqiooaseseuke.org - Win.Trojan.Ramdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|10|aaukqiooaseseuke|03|org|00|";
reference:url,www.sophos.com/en-us/threat-center/threat-analyses/virusesand-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojanactivity; sid:30543; rev:1;)
malware domain eimqqakugeccgwak.org - Win.Trojan.Ramdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|10|eimqqakugeccgwak|03|org|00|";
reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-
and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojanactivity; sid:30544; rev:1;)

malware domain kucmcamaqsgmaiye.org - Win.Trojan.Ramdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|10|kucmcamaqsgmaiye|03|org|00|";
malware domain uogwoigiuweyccsw.org - Win.Trojan.Ramdo"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|10|uogwoigiuweyccsw|03|org|00|";
Win.Trojan.Ramdo variant outbound connection";
content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| nocache|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:!"UserAgent|3A|"; http_header; content:!"Accept|3A|"; http_header;
pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red,
reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;)
urilen:6; content:"POST"; http_method; content:"/write"; http_uri;
content:"Host: default|0D 0A|"; fast_pattern:only; http_header;
reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeusp2pgameover-crooks.html;
reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f4
15baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity;
sid:30548; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL
Heartbleed masscan access exploitation attempt";
flow:to_server,established; content:"[masscan/1.0]"; metadata:policy
balanced-ips drop, policy connectivity-ips drop, policy security-ips
drop, ruleset community, service ssl; reference:cve,2014-0160;
malware domain darxk.com - Win.Trojan.Minerd"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|05|darxk|03|com|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca
0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity;
sid:30550; rev:1;)

Malicious BitCoiner Miner download attempt - Win.Trojan.Minerd";
flow:to_server,established; urilen:>10; content:"/minerd.exe";
0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity;
sid:30551; rev:1;)
Malicious BitCoiner Miner download attempt - Win.Trojan.Systema";
flow:to_server,established; urilen:20; content:"/aviatic/systema.exe";
0a9e904a55792281048bae9cfe0e95c1/analysis/;
reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e8100246
9a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity;
sid:30552; rev:1;)
Linux.Trojan.Elknot outbound connection"; flow:to_server,established;
dsize:401; content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.
[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red, policy security-ips
reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08
d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity;
sid:30566; rev:2;)
Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established;
flowbits:isset,file.zip; file_data; content:"pdf_efax_";
fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0;
reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec
5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity;
sid:30567; rev:1;)
Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established;
content:"/cache/pdf_efax_"; fast_pattern:only; http_uri;
pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag
reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec
5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity;
sid:30568; rev:1;)
Win.Trojan.Agent Funeral ceremony phishing attempt";
flow:to_client,established; content:"filename=FuneralCeremony_";
fast_pattern:only; http_header; content:".zip"; nocase; http_header;
file_data; content:"FuneralCeremony_"; content:".exe"; distance:0;
nocase; metadata:policy balanced-ips drop, policy security-ips drop,
reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a
921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojanactivity; sid:30569; rev:1;)

urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection:
Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B|
MSIE "; http_header; content:"google."; http_header; content:!"Accept-";
http_header; content:"PREF="; depth:5; http_cookie; metadata:impact_flag
reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1
f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/;
reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2
bc087f205711cdbad3e4b1bde7be2d75/analysis/
c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity;
sid:30570; rev:3;)
malware domain universal2010.no-ip.org - Win.Worm.Dunihi";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|universal2010|05|noip|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
reference:url,www.virustotal.com/en/file/2dc9930a0d324838f847f940ea7fa1da
8808f910a39c2e701020820f7e33974a/analysis/; classtype:trojan-activity;
sid:30772; rev:1;)
00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3;
fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips
16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3;

byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy
security-ips drop, ruleset community, service ssl; reference:cve,20140160; classtype:attempted-recon; sid:30785; rev:3;)

flow:to_server,established; content:"/gdp?alpha="; fast_pattern:only;
no-cache|0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:";
flow:to_server,established; urilen:3; content:"/rs"; fast_pattern:only;
http_uri; content:"Expect: 100-continue|0D 0A|"; http_header;
content:"alpha="; http_client_body; content:!"Accept"; http_header;
content:!"User-Agent:"; http_header; metadata:impact_flag red, policy
http;
Win.Trojan.SpySmall variant outbound connection";
flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|
3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|";
fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag
reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4e
a6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity;
sid:30914; rev:2;)
Win.Trojan.SpySmall variant outbound connection";
flow:to_server,established; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|
00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4e
a6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity;
sid:30915; rev:2;)
User-Agent known malicious user agent - User-Agent User-Agent Mozilla";
flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/";
fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag
reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B
7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity;
sid:30918; rev:1;)
content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:"
HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|
User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0;

http_header; content:"|29 0D 0A|Host:"; distance:0; http_header;
content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header;
sid:30919; rev:2;)
Multiple exploit kit redirection gate"; flow:to_server,established;
urilen:72; content:"POST"; http_method; content:".php?q=";
fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]
{32}$/U"; metadata:policy balanced-ips drop, policy security-ips drop,
rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR
Win.Backdoor.Hikit outbound banner response"; flow:to_client,established;
content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only;
drop, ruleset community, service http, service ssl;
reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a
11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity;
sid:30948; rev:2;)
malware domain github.ignorelist.com - Win.Trojan.Barys"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|github|0A|ignorelist|03|com|00|";
reference:url,www.virustotal.com/en/file/9d2b34289df06f44dc02fc0689b28ea4
f9c11f7496a0e4c20f9d04152295d832/analysis/; classtype:trojan-activity;
sid:30949; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - .doc.exe within .zip file";
flow:to_client,established; flowbits:isset,file.zip; file_data;
content:".doc.exe"; fast_pattern:only; content:"Content-Length:";
http_header; metadata:policy security-ips drop, ruleset community,
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - .gif.exe within .zip file";
content:".gif.exe"; fast_pattern:only; content:"Content-Length:";
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - .jpeg.exe within .zip file";
content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:";
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - .jpg.exe within .zip file";
content:".jpg.exe"; fast_pattern:only; content:"Content-Length:";

# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - .pdf.exe within .zip file";
content:".pdf.exe"; fast_pattern:only; content:"Content-Length:";
content:"/hunter/123/order.php"; fast_pattern:only; http_uri;
content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header;
sid:31020; rev:2;)
malware domain www.casting.diamondhostess.hu- Win.Trojan.SpyBanker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|casting|0E|
diamondhostess|02|hu|00|"; fast_pattern:only; metadata:impact_flag red,
service dns;
reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3
b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity;
sid:31034; rev:1;)
malware domain www.uslugi-ryazan.ru - Win.Trojan.SpyBanker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|uslugi-ryazan|
02|ru|00|"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service dns;
sid:31035; rev:1;)
Win.Trojan.SpyBanker variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:".php
HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/xwww-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D
0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|
3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0
(compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0;
service http;
reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc
628bcd335b381b74fcfd2e4db73689af/analysis/;
sid:31036; rev:1;)
Win.Trojan.MadnessPro outbound connection"; flow:to_server,established;
content:"/?"; http_uri; content:"uid="; http_uri; content:"&mk=";
fast_pattern; http_uri; content:"&os="; http_uri; content:"&rs=";
http_uri; content:"&c="; http_uri; content:"&rq="; http_uri;

drop, ruleset community, service http; reference:url,blog.cylance.com/astudy-in-bots-madness-pro; classtype:trojan-activity; sid:31053; rev:2;)
Win.Rootkit.Necurs outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:15; content:"/docs/index.php";
fast_pattern:only; http_uri; content:"Content-Type|3A 20|
application/octet-stream"; http_header; content:!"User-Agent|3A 20|";
http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A
20|"; http_header; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a
4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity;
sid:31070; rev:2;)
Win.Trojan.Zbot variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:11; content:"/srt/ge.php";
reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3
d830c469f2f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojanactivity; sid:31084; rev:2;)
User-Agent known malicious user agent - User-Agent hello crazyk";
flow:to_server,established; content:"User-Agent: hello crazyk|0D 0A|";
http;
reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271
c17c20218ba895c1f4a/analysis/; classtype:trojan-activity; sid:31090;
rev:1;)
Win.Trojan.Bancos password stealing attempt"; flow:to_server,established;
content:"rotina=plogin&login="; fast_pattern:only; http_client_body;
content:"&senha="; http_client_body; content:"&casa="; distance:0;
reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95
fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojanactivity; sid:31112; rev:1;)
flow:to_server,established; content:")&dt="; fast_pattern:only;
http_client_body; content:"pc="; depth:3; http_client_body;
content:"&av="; distance:0; http_client_body; content:"&wd="; distance:0;
fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojanactivity; sid:31113; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471]
(msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound communication";
flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4;
metadata:impact_flag red, policy balanced-ips drop, policy connectivityips drop, policy security-ips drop, ruleset community;
reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6
463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity;
sid:31136; rev:1;)
Win.Trojan.Banker variant outbound connection";
content:"/notify.php HTTP/1.0|0D 0A|"; fast_pattern:only; content:"UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header;
content:"Content-Length: 0|0D 0A|"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837ec
a03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity;
sid:31221; rev:1;)
flow:to_server,established; urilen:17; content:"/second/game1.inf";
fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header;
content:!"Accept-Language:"; http_header; content:!"Referer:";
sid:31222; rev:1;)
Win.Trojan.Necurs variant outbound connection";
flow:to_server,established; urilen:15; content:"/news/index.php HTTP/1.1|
0D 0A|Content-Type: application/octet-stream|0D 0A|Host: ";
fast_pattern:only; content:!"User-Agent:"; http_header;
content:!"Referer:"; http_header; content:!"Accept"; http_header;
reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b
9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojanactivity; sid:31243; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443]
(msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection";
flow:to_server,established; urilen:43; content:"POST /"; depth:6;
content:" HTTP/1.1"; within:9; distance:42; content:"Firefox/";
distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]
{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop,
reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9
d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity;
sid:31244; rev:4;)
Win.Trojan.Andromeda HTTP proxy response attempt";
flow:to_client,established; file_data; content:"function
FindProxyForURL(url, host)"; depth:35; content:"yx0=0|3B|yx1=1|3B|yx2=2|
3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22
reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-httpbotnet-hosted.html; classtype:trojan-activity; sid:31260; rev:1;)

Win.Trojan.Symmi outbound connection"; flow:to_server,established;
content:".inf HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,
deflate|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|
MSIE|20|"; http_header; pcre:"/\)\r\nHost\x3a\x20[\d\x2e]
{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/";
reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc
9d7719f2c2e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity;
sid:31261; rev:2;)
Win.Worm.VBNA variant check-in attempt"; flow:to_server,established;
content:"/0.gif?"; depth:7; http_uri; content:" HTTP/1.1|0D 0A|Host:
sstatic1.histats.com|0D 0A 0D 0A|"; fast_pattern:only;
reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2
MDE/;
reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e34
2d25a1c7d670077eca14a0f4309f9e26/analysis/;
reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5
c998b5bf452f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity;
sid:31262; rev:2;)
Win.Trojan.Dyre publickey outbound connection attempt";
flow:to_server,established; content:"/publickey/ HTTP/1.1|0D 0A|UserAgent: Wget/1.9|0D 0A|Host: "; fast_pattern:only; metadata:impact_flag
reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentialsbypasses-ssl;
reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f15375
8fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity;
sid:31293; rev:2;)
malware domain www.give-us-btc.biz - Win.Trojan.Zusy"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|www|0B|give-us-btc|03|biz|00|";
reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb2
54a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity;
sid:31294; rev:1;)
content:"/workers.php?mac="; fast_pattern:only; http_uri;
content:"&gpu="; http_uri; content:!"|0D 0A|User-Agent:"; http_header;
content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb2
54a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity;
sid:31295; rev:2;)

Win.Trojan.MSIL variant outbound connection"; flow:to_server,established;
content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only;
content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:";
reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFm
OGY/; classtype:trojan-activity; sid:31315; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVERAPACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established;
content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D
0A|"; distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative;
content:"|20|"; within:9; metadata:ruleset community, service http;
reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,20020392; reference:nessus,10932; classtype:web-application-attack;
sid:31405; rev:1;)
for known malware domain indo.msname.org"; flow:to_server; byte_test:1,!
&,0xF8,2; content:"|04|indo|06|msname|03|org|00|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/2f6f2b5b356db1620fecdbf92fbaf7ab
ffec0d8d79893c809bdd31a0169ecbc8/analysis/; classtype:trojan-activity;
sid:31423; rev:1;)
Win.Trojan.Injector variant outbound connection";
flow:to_server,established; urilen:4; content:"/re/"; fast_pattern:only;
http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B|
Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-wwwform-urlencoded|0D 0A|Host: "; content:"|0D 0A|Connection: Close|0D 0A|
Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; metadata:impact_flag
reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c
4c04be89e279651c8f19fa6392f3d837/analysis/;
reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b1734
1f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity;
sid:31442; rev:1;)
Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established;
urilen:<20; content:"User-Agent|3A 20|macrotest|0D 0A|";
fast_pattern:only; http_header; pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]
{3}\x2eccs/U"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb788
5f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity;
sid:31449; rev:1;)
Win.Trojan.CryptoWall outbound connection"; flow:to_server,established;
content:"POST"; http_method; urilen:<17; content:"HTTP/1.1|0D 0A|Accept:
*/*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|
Connection: Close|0D 0A|Content-Length: 100|0D 0A|User-Agent: ";
fast_pattern:only; content:"="; depth:1; offset:1; http_client_body;
pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c
5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity;
sid:31450; rev:2;)
flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D
20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c17948
5146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity;
sid:31452; rev:2;)
Win.Trojan.ChoHeap variant outbound connection";
flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent:
Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only;
http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header;
service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b512077
09a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity;
sid:31453; rev:1;)
Win.Trojan.ChoHeap variant outbound connection";
flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*,
application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: ";
fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|";
http_header; metadata:impact_flag red, ruleset community, service http;
reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b512077
09a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity;
sid:31454; rev:1;)
Rig Exploit Kit Outbound DGA Request"; flow:established,to_server;
urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri;
pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy
http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-usedrecent-website-compromise; classtype:trojan-activity; sid:31455; rev:2;)
malware domain infolooks.org - Win.Trojan.SDBot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|infolooks|03|org|00|";
reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572
b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity;
sid:31456; rev:1;)
malware domain joydagaspy.biz - Win.Trojan.SDBot"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|joydagaspy|03|biz|00|";
sid:31457; rev:1;)
Win.Trojan.SDBot variant outbound connection";
flow:to_server,established; urilen:8; content:"/install"; http_uri;
content:"argc="; depth:5; http_client_body; content:"&name="; distance:0;
http_client_body; content:"&previous="; fast_pattern:only;
sid:31458; rev:2;)
malware domain cd5c5c.com - Win.Trojan.Androm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|cd5c5c|03|com|00|";
reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5
MjQ/; classtype:trojan-activity; sid:31463; rev:1;)
malware domain disk57.com - Win.Trojan.Androm"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|06|disk57|03|com|00|";
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established;
content:"/query?version="; fast_pattern:only; http_uri; content:"&sid=";
http_uri; content:"&builddate="; distance:0; http_uri; content:"&q=";
distance:0; http_uri; content:"&ref="; distance:0; http_uri;
Win.Trojan.Androm Click Fraud Request"; flow:to_server,established;
content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D
0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header;
flow:to_server,established; urilen:9; content:"/gate.php";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|";
Win.Trojan.Papras variant outbound connection";
content:"/viewforum.php?f="; fast_pattern:only; http_uri;

content:"&sid="; http_uri; content:!"Referer:"; http_header;
content:!"Cookie:"; http_header; pcre:"/sid=[0-9A-F]{32}/U";
reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197
babc45ddc05835afa772fde8627e72b2/analysis/; classtype:trojan-activity;
sid:31468; rev:1;)
malware domain nanoseklo.net - Win.Trojan.HW32"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|nanoseklo|03|net|00|";
reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3d
f503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity;
sid:31472; rev:1;)
Win.Trojan.HW32 variant spam attempt"; flow:to_server, established;
content:"MAIL FROM: <Reademal.com>|0D 0A|"; fast_pattern:only;
drop, ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3d
f503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity;
sid:31507; rev:1;)
flow:to_server,established; content:"/index.php?email=libpurple_XMPP";
fast_pattern:only; http_uri; content:"&method=post"; http_uri; content:"
HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: ";
reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268
ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojanactivity; sid:31530; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE MinerDeploy monitor request attempt";
flow:to_server,established; content:"/monitor.php?"; fast_pattern;
http_uri; content:"myid="; distance:0; http_uri; content:"&ip=";
distance:0; http_uri; content:"&cgminer="; distance:0; http_uri;
content:"&operatingsystem="; distance:0; http_uri; content:!"ContentLength|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header;
reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb839
6fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity;
sid:31531; rev:1;)
Andr.Trojan.SMSSend outbound connection"; flow:to_server,established;
content:"sms"; http_uri; content:".ashx?t="; fast_pattern:only; http_uri;
content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|";
http_header; content:!"Content-Type|3A 20|"; http_header;
metadata:impact_flag red, policy balanced-ips drop, policy connectivityips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3
f45b6022f4d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojanactivity; sid:31593; rev:2;)

alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"BLACKLIST DNS reverse
lookup response for known malware domain spheral.ru Win.Trojan.Glupteba"; flow:to_client; content:"|07|spheral|02|ru|00|";
reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698db
b3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity;
sid:31600; rev:1;)
Win.Trojan.Glupteba C&C server HELLO request to client";
flow:to_client,established; dsize:6; content:"HELLO|0A|";
sid:31603; rev:2;)
Win.Trojan.Glupteba C&C server READD command to client";
flow:to_client,established; dsize:6; content:"READD|0A|";
sid:31604; rev:1;)
Win.Trojan.Glupteba C&C server READY command to client";
flow:to_client,established; dsize:6; content:"READY|0A|";
sid:31605; rev:2;)
Win.Trojan.Glupteba payload download request";
flow:to_server,established; content:"/software.php?"; fast_pattern:only;
http_uri; content:"Accept|3A| */*"; http_header; content:"User-Agent|3A|
Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.1|3B|";
http_header; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/Ui";
sid:31606; rev:1;)
Win.Trojan.Glupteba client response/authenticate to C&C server";
flow:to_server,established; dsize:15<>18; content:"|3A|bpass|0A|";
fast_pattern:only; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/";
sid:31607; rev:1;)
malware domain hslh.sytes.net - Win.Worm.Jenxcus"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|hslh|05|sytes|03|net|00|";
reference:url,www.virustotal.com/en/file/5382192453e48d46e20096b14458b173
68d401ccbf365020e6094cd5ed20ac51/analysis/; classtype:trojan-activity;
sid:31639; rev:1;)
malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|prepara|08|biricell|
03|com|02|br|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
reference:url,www.virustotal.com/en/file/a9c38b5b26532623d692ef0291ad412c
e2c2fd8e46e4f6ed85d1e0d010617d0a/analysis/; classtype:trojan-activity;
sid:31640; rev:1;)
Win.Tinybanker variant outbound connection"; flow:to_server,established;
content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT
6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-formurlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D
0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: nocache|0D 0A 0D 0A|"; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag
reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targetsbanking-customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a210
98aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity;
sid:31641; rev:1;)
Win.Tinybanker variant outbound connection"; flow:to_server,established;
urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B|
Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|
Host: "; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|CacheControl: no-cache|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red,
service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojantargets-banking-customers/;
reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a210
98aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity;
sid:31642; rev:1;)
Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established;
content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A
20|Apache-HttpClient|2F|UNAVAILABLE"; http_header; content:"method=";
http_client_body; content:"&app_key="; http_client_body;
metadata:impact_flag red, policy balanced-ips drop, policy connectivityips drop, policy security-ips drop, ruleset community, service http;
reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html
;
reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c
76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity;
sid:31644; rev:2;)
flow:to_server,established; urilen:16; content:"/boydn/boye.html";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0
service http;
fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojanactivity; sid:31649; rev:1;)
Win.Trojan.Tirabot variant outbound connection";
flow:to_server,established; content:"&string="; fast_pattern:only;
http_client_body; content:"key="; depth:4; http_client_body;
content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|";
http_header; content:".php"; http_uri;
pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]
{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag
reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e029
94253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojanactivity; sid:31680; rev:1;)
Win.Trojan.Badur download attempt"; flow:to_server,established;
urilen:12; content:"/support.exe"; fast_pattern:only; http_uri;
content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding:
gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0;
reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b4633
27fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity;
sid:31681; rev:1;)
Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9;
content:"/tmps.exe"; fast_pattern:only; http_uri; content:"ProxyAuthorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9;
http_cookie; content:") Chrome/"; http_header; content:!"Accept-";
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd
79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity;
sid:31682; rev:1;)
Win.Trojan.Badur variant outbound connection";
flow:to_server,established; content:"/get/?data="; depth:11; http_uri;
content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd
79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity;
sid:31683; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE
Microsoft Multiple Products JPEG parser heap overflow attempt";
flow:to_server,established; flowbits:isset,file.jpeg; file_data;
content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.
{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:ruleset
community, service smtp; reference:bugtraq,11173; reference:cve,20040200;
reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx;
Win.Banker.Delf variant outbound connection"; flow:to_server,established;
urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri;
content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D
0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|";
http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|
MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd
0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity;
sid:31820; rev:2;)
flow:to_server,established; content:"dados="; depth:6; http_client_body;
content:"&ct="; distance:0; http_client_body; content:"/"; within:1;
distance:2; http_client_body; content:"/201"; within:4; distance:2;
http_client_body; content:"="; within:1; distance:1; http_client_body;
content:"&windows="; fast_pattern:only; http_client_body;
reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1d
a7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity;
sid:31824; rev:2;)
malware domain flordeliskm26.com.br - Win.Trojan.Delf"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0D|flordeliskm26|03|com|02|br|00|";
reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337
482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojanactivity; sid:31825; rev:1;)
Win.Trojan.Delf variant HTTP Response"; flow:to_client,established;
content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|
token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4;
distance:168;
pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]
{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips

Win.Trojan.Delf variant outbound connection"; flow:to_server,established;
content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: ";
fast_pattern:only; content:!"Accept"; http_header; content:!"Referer:";
http_header; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]
{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/";
malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|eduarditopallares|04|
mooo|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
reference:url,www.virustotal.com/en/file/0a7e5ba1ba4c1ae22b7d6d30026ffb28
7911be4bdc8042363d29c93c3c71b3e7/analysis/; classtype:trojan-activity;
sid:31829; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER
QLogic Switch 5600/5800 default ftp login attempt";
flow:to_server,established; content:"PASS|20|images|0D 0A|";
flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service ftp;
reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V
_Series_QuickTools_v80_59264-02B.pdf;
reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guid
e_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-loginattempt; sid:31830; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER
QLogic Switch 5600/5800 default ftp login attempt";
flow:to_server,established; content:"USER|20|images|0D 0A|";
flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:ruleset
community, service ftp;
reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V
_Series_QuickTools_v80_59264-02B.pdf;
reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guid
e_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-loginattempt; sid:31831; rev:1;)
flow:to_server,established; content:"/trdpr/trde.html";
fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|UserAgent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|";
fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojanactivity; sid:31916; rev:1;)
malware domain vampire123.zapto.org - Win.Trojan.Disfa"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|vampire123|05|zapto|03|org|00|";

reference:url,www.virustotal.com/en/file/1f4b95d7fc20a66acc09f8246f5a936a
8263b76aebf973efa45cfe255415d5d1/analysis/; classtype:trojan-activity;
sid:31917; rev:1;)
malware domain enemydont.net - Win.Trojan.Symmi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|enemydont|03|net|00|";
reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deac
fcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity;
sid:31918; rev:1;)
malware domain saltsecond.net - Win.Trojan.Symmi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|saltsecond|03|net|00|";
sid:31919; rev:1;)
malware domain sellsmall.net - Win.Trojan.Symmi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|sellsmall|03|net|00|";
sid:31920; rev:1;)
malware domain southblood.net - Win.Trojan.Symmi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|southblood|03|net|00|";
sid:31921; rev:1;)
malware domain wheelreply.net - Win.Trojan.Symmi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|wheelreply|03|net|00|";
sid:31922; rev:1;)
Win.Trojan.Symmi variant HTTP response attempt";
flow:to_client,established; file_data; content:"%set_intercepts%";
fast_pattern:only; content:"%ban_contact%"; content:"%ebaylive%";
content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red,
service http;
sid:31923; rev:1;)

flow:to_server,established; content:".php?method="; http_uri;
content:"&mode=sox&v="; fast_pattern:only; http_uri; content:" HTTP/1.0|
0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"UserAgent:"; http_header; metadata:impact_flag red, policy balanced-ips drop,
sid:31924; rev:2;)
flow:to_server,established; content:"/notify.php"; fast_pattern:only;
http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding:
identity|0D 0A|User-Agent: "; http_header; metadata:impact_flag red,
service http;
sid:31964; rev:1;)
Astrum exploit kit landing page"; flow:to_client,established; file_data;
content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f";
distance:0; fast_pattern;
flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.f
lash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop,
policy connectivity-ips drop, policy security-ips drop, ruleset
reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html;
Astrum exploit kit payload delivery"; flow:to_client,established;
flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89
28 15 47|"; fast_pattern:only; metadata:policy balanced-ips drop, policy
flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16
7E 8E 15|"; fast_pattern:only; metadata:policy balanced-ips drop, policy
Astrum exploit kit redirection attempt"; flow:to_server,established;
urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+
$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|";
fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|";
http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header;
lash&file.exploit_kit.silverlight; metadata:policy balanced-ips drop,
Astrum exploit kit multiple exploit download request";
flow:to_server,established; urilen:>60,norm; content:"GET"; content:".
HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e+$/mU";
content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header;
lash&file.exploit_kit.silverlight; flowbits:noalert; metadata:ruleset
flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0
DB D2 51|"; fast_pattern:only; metadata:policy balanced-ips drop, policy
Win.Trojan.Chebri variant outbound connection";
flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D
0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0=";
depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|";
http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H";
reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494d
aa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojanactivity; sid:31973; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips
rev:4;)
content:"() {"; fast_pattern:only; http_client_body; metadata:policy
http; reference:cve,2014-6271; reference:cve,2014-6277;
content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
rev:4;)
content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-
ips drop, policy security-ips drop, ruleset community, service http;

rev:4;)
alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP
server bash environment variable injection attempt"; flow:stateless;
content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4;
community, service dhcp; reference:cve,2014-6271; reference:cve,20146277; reference:cve,2014-6278; reference:cve,2014-7169;
known malicious user-agent string - Install - Win.Backdoor.Upatre";
flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent:
Install|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c1
2c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity;
sid:31990; rev:2;)
known malicious user-agent string - Treck - Win.Backdoor.Upatre";
Treck|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c971
7a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity;
sid:31991; rev:2;)
Fake Delta Ticket HTTP Response phishing attack";
flow:to_client,established; file_data; content:"PK"; depth:2;
content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe";
distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe;
Linux.Backdoor.Flooder inbound connection attempt - command";
flow:to_client,established; dsize:<15; content:"|21 2A 20|SCANNER ON";
reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb3499
57b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity;
sid:32009; rev:1;)
Linux.Backdoor.Flooder outbound telnet connection attempt";
flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|
5C|141|5C|171|5C|146|5C|147|5C|164|27 0D 0A|"; fast_pattern:only;
community, service telnet;
sid:32010; rev:1;)

Linux.Backdoor.Flooder outbound connection"; flow:to_server,established;
dsize:10; content:"BUILD X86|0A|"; fast_pattern:only; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community;
sid:32011; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash
environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; content:"MAIL"; nocase; content:"FROM|
3A|"; distance:0; nocase; pcre:"/^\s*?MAIL\s+?
FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service smtp;
rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash
content:"() {"; fast_pattern:only; content:"RCPT"; nocase; content:"TO|
3A|"; distance:0; nocase; pcre:"/^\s*?RCPT\s+?
TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop,
policy security-ips drop, ruleset community, service smtp;
rev:2;)
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER
Bash environment variable injection attempt"; flow:stateless; sip_header;
content:"() {"; metadata:policy security-ips drop, ruleset community,
service sip; reference:cve,2014-6271; reference:cve,2014-6277;
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER
Bash environment variable injection attempt"; flow:to_server,established;
sip_header; content:"() {"; metadata:policy security-ips drop, ruleset
community, service sip; reference:cve,2014-6271; reference:cve,2014-6277;
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash
content:"USER "; depth:5; content:"() {"; fast_pattern:only;
community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277;
Win.Trojan.Asprox inbound connection attempt";
flow:to_client,established; content:"Content-Length: 30"; http_header;
file_data; content:"|3C|html|3E 3C|body|3E|hi!|3C 2F|body|3E 3C 2F|html|
3E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736
f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity;
sid:32065; rev:1;)

Win.Trojan.Asprox outbound connection"; flow:to_server,established;
urilen:20<>23; content:"/b/pkg/T202"; depth:11; fast_pattern; http_uri;
content:"UA-CPU: "; http_header; content:"Connection: Keep-Alive|0D 0A 0D
0A|"; pcre:"/\x2fb\x2fpkg\x2fT202[0-9a-z]{10}/U"; metadata:impact_flag
sid:32066; rev:3;)
Win.Trojan.Asprox outbound connection"; flow:to_server,established;
urilen:46<>51; content:"/x/"; depth:3; fast_pattern; http_uri;
content:"UA-CPU: "; content:"Connection: Keep-Alive|0D 0A 0D 0A|";
pcre:"/\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U";
sid:32067; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash
content:"PASS "; depth:5; content:"() {"; fast_pattern:only;
community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277;
Win.Trojan.Zemot configuration download attempt";
flow:to_server,established; content:"/mod_"; http_uri; content:"/soft";
http_uri; content:".dll"; fast_pattern:only; http_uri;
content:"Connection|3A 20|Close|0D 0A|"; http_header; content:"CacheControl|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer";
http_header; pcre:"/\x2fsoft(64|32)\x2edll$/U"; metadata:impact_flag red,
service http;
sid:32072; rev:1;)
Win.Trojan.Zemot outbound connection"; flow:to_server,established;
content:"/b/shoe/"; fast_pattern:only; http_uri; content:"Connection|3A
20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D
0A|"; http_header; content:!"Referer"; http_header;
pcre:"/\x2fb\x2fshoe\x2f[0-9]{3,5}$/U"; metadata:impact_flag red, policy
http;
sid:32073; rev:2;)
Win.Trojan.Zemot payload download attempt"; flow:to_server,established;
content:"/mod_articles-auth-"; depth:19; fast_pattern; http_uri;
content:"/jquery/"; within:8; distance:7; http_uri; content:"Accept: */*|
0D 0A|Connection|3A 20|Close|0D 0A|"; http_header; content:"CacheControl|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer";

sid:32074; rev:1;)
flow:to_server,established; content:"/beta/order.php"; fast_pattern:only;
http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-formurlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|";
distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0;
http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:";
sid:32130; rev:2;)
malware domain av4.microsoftsp3.com - Win.Trojan.Plugx"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|av4|0C|microsoftsp3|03|com|00|";
reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642
290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity;
sid:32176; rev:1;)
malware domain java.ns1.name - Win.Trojan.Plugx"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|java|03|ns1|04|name|00|";
sid:32177; rev:1;)
malware domain wm1.ns01.us - Win.Trojan.Plugx"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|wm1|04|ns01|02|us|00|";
sid:32178; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] (msg:"MALWARECNC WIN.Trojan.Plugx variant outbound connection";
flow:to_server,established; content:"HHV1:"; content:"HHV2:"; within:20;
content:"HHV3: 61456"; within:20; fast_pattern; content:"HHV4:";
within:20; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, ruleset community, service dns, service http, service
ssl;
sid:32179; rev:1;)

Win.Backdoor.ZxShell connection incoming attempt";
flow:to_client,established; dsize:16; content:"|85 19 00 00 25 04 00
00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f
9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity;
sid:32180; rev:2;)
Win.Backdoor.ZxShell connection outgoing attempt";
flow:to_server,established; dsize:16; content:"|86 19 00 00 04 01 00
00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f
9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity;
sid:32181; rev:2;)
Win.Trojan.Zxshell variant outbound connection";
flow:to_server,established; content:"|20|OS|3A 20|"; content:"|20|CPU|
3A|"; distance:0; content:"Hz,RAM|3A|"; distance:0; metadata:impact_flag
community;
reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded377
56f749a9338ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity;
sid:32192; rev:1;)
flow:to_server,established; content:"form-data|3B| name=|22|PLUG|22 0D
0A|"; fast_pattern:only; http_client_body; content:"form-data|3B| name=|
22|PC|22 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|SEG|
22 0D 0A|"; distance:0; http_client_body; content:"User-Agent:
Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header;
reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cd
bd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity;
sid:32196; rev:1;)
Win.Trojan.Cryptowall variant outbound connection";
flow:to_server,established; urilen:27; content:"/blogtrabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag
reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6
e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity;
sid:32225; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX
Mozilla 1.0 Javascript arbitrary cookie access attempt";
flow:to_server,established; file_data; content:"javascript|3A|//";
fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset
sid:32244; rev:1;)

Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established;
content:"/info.xml"; http_uri; content:"Host:"; http_header;
content:"update-adobe.com"; within:30; http_header; metadata:policy
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole
reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|
irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of
MOTD command|2E|"; metadata:policy balanced-ips drop, policy
connectivity-ips drop, policy security-ips drop, ruleset community;
malware domain good.myftp.org - Win.Trojan.Farfi"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|good|05|myftp|03|org|00|";
reference:url,www.virustotal.com/en/file/184c083e839451c2ab0de7a89aa801dc
0458e2bd1fe79e60f35c26d92a0dbf6a/analysis/; classtype:trojan-activity;
sid:32309; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER
Bash CGI environment variable injection attempt";
flow:to_server,established; content:" () {"; depth:50; urilen:>0,norm;
content:!"HTTP/"; metadata:ruleset community, service http;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER
Bash CGI environment variable injection attempt";
flow:to_server,established; content:"() {"; fast_pattern:only;
content:"() {"; http_cookie; metadata:ruleset community, service http;
rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash
content:"() {"; content:"}"; within:25; pcre:"/^[\w\x2d\x5f]
+?\x3a\s*?\x28\x29\s\x7b/mi"; metadata:ruleset community, service smtp;
rev:1;)
Win.Trojan.GameOverZeus variant outbound connection";
flow:to_server,established; urilen:<10; content:"/update"; http_uri;
content:"POST"; http_method; content:"|0D 0A|Accept-Encoding:|0D 0A|
Connection: close|0D 0A|Content-Length: "; fast_pattern:only;
reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8de
c32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity;
sid:32367; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL
Instant Messenger goaway message buffer overflow attempt";
flow:to_server,established; file_data; content:"aim|3A|goaway?message=";
pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]
{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|
aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:ruleset community,
reference:url,osvdb.org/show/osvdb/8398; classtype:misc-attack;
sid:32370; rev:1;)
content:"/and/gate.php"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy
http;
malware domain tiptronic.soxx.us - Scarsi Trojan"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|tiptronic|04|soxx|02|us|00|";
reference:url,www.virustotal.com/en/file/403bca7e414291c4aecf8646ef6157e4
41d51915149fbcd2f70aabe05585c8ff/analysis/; classtype:trojan-activity;
sid:32385; rev:1;)
flow:to_server,established; urilen:16; content:"/cbrry/cbre.html";
fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0
service http;
reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01
259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojanactivity; sid:32583; rev:2;)
flow:to_server,established; content:"plug=NAO"; fast_pattern:only;
http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"ContentLength: 8"; http_header; metadata:impact_flag red, policy balanced-ips
reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5
OWY/;
reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25
aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity;
sid:32584; rev:2;)
Win.Trojan.Geodo variant outbound connection";
flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0
(compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd5
4b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity;
sid:32604; rev:2;)
Win.Worm.Jenxcus variant outbound connection";
flow:to_server,established; content:"/seo.php?
username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri;
reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e
59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity;
sid:32605; rev:2;)
Win.Trojan.Sodebral variant outbound connection";
flow:to_server,established; content:"/verifica/index.php?id=";
(compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header;
reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa
6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity;
sid:32606; rev:2;)
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
file_data; dsize:<194; content:"INTERNACIONAL"; depth:13;
content:!"Content-Length"; http_header; content:"Transfer-Encoding:
chunked"; http_header; metadata:impact_flag red, policy balanced-ips
sid:32607; rev:1;)
Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established;
file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"ContentLength"; http_header; content:"Transfer-Encoding: chunked"; http_header;
sid:32608; rev:1;)
known malicious user-agent string RUpdate"; flow:to_server,established;
content:"User-Agent: RUpdate|0D 0A|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2
cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity;
sid:32645; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATORCOMPROMISE Potential malware download - _pdf.exe within .zip file";
content:"_pdf.exe"; fast_pattern:only; metadata:policy security-ips drop,
reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2
cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity;
sid:32646; rev:1;)
for known malware domain baltichost.org - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|baltichost|03|org";
reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf9
1bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity;
sid:32652; rev:1;)
for known malware domain kavkazcentr.info - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0B|kavkazcentr|04|info";
sid:32653; rev:1;)
for known malware domain login-osce.org - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0A|login-osce|03|org";
sid:32654; rev:1;)
for known malware domain mail.q0v.pl - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|mail|03|g0v|02|pl";
sid:32655; rev:1;)
for known malware domain n0vinite.com - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|08|n0vinite|03|com"; fast_pattern:only;
sid:32656; rev:1;)
for known malware domain nato.nshq.in - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|nato|04|nshq|02|in";
sid:32657; rev:1;)
for known malware domain natoexhibitionff14.com - Group 74";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|natoexhibitionff14|
03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips

sid:32658; rev:1;)
for known malware domain novinitie.com - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|09|novinitie|03|com"; fast_pattern:only;
sid:32659; rev:1;)
for known malware domain q0v.pl - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|q0v|02|pl"; fast_pattern:only;
sid:32660; rev:1;)
for known malware domain qov.hu.com - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|03|qov|02|hu|03|com"; fast_pattern:only;
sid:32661; rev:1;)
for known malware domain rnil.am - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|04|rnil|02|am"; fast_pattern:only;
sid:32662; rev:1;)
for known malware domain smigroup-online.co.uk - Group 74";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|smigroup-online|02|
co|02|uk"; fast_pattern:only; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
sid:32663; rev:1;)
for known malware domain standartnevvs.com - Group 74"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|0D|standartnevvs|03|com";
sid:32664; rev:1;)
Win.Trojan.Chopstick variant outbound request";
flow:to_server,established; content:"/search?btnG="; http_uri;

content:"utm="; distance:0; http_uri; content:"ai="; distance:0;
http_uri; content:!"."; depth:20; http_client_body;
isdataat:500,relative; metadata:impact_flag red, policy balanced-ips
sid:32665; rev:1;)
Win.Trojan.Coreshell variant outbound connection";
flow:to_server,established; urilen:7; content:"/check/"; http_uri;
content:!"."; depth:20; http_client_body; isdataat:500,relative;
sid:32666; rev:1;)
Win.Trojan.Chopstick variant outbound request";
flow:to_server,established; content:"/webhp?rel="; http_uri;
content:"hl="; distance:0; http_uri; content:"ai="; distance:0; http_uri;
content:!"."; depth:20; http_client_body; isdataat:500,relative;
sid:32667; rev:1;)
Win.Dropper.Ch variant outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only;
http_uri; content:"Content-length:"; http_header; content:"Contenttype:"; http_header; content:!"Accept"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5
cebead7d0321bc371fa475d689ffe658/analysis/; classtype:trojan-activity;
sid:32670; rev:2;)
Win.Trojan.Wiper variant outbound connection";
flow:to_server,established; dsize:42; content:"(|00|"; depth:2;
content:"|04 00 00 00|"; within:4; distance:36; metadata:impact_flag red,
reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21f
d1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity;
sid:32674; rev:3;)
FIN4 VBA Macro credentials upload attempt"; flow:to_server, established;
content:"POST"; http_method; content:"/report.php?msg=";
fast_pattern:only; http_uri; content:"&uname="; http_uri;
content:"&pword="; http_uri; content:"Content-Length|3A 20|0|0D 0A|";
reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad
7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity;
sid:32776; rev:1;)
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/images/view.php"; fast_pattern:only; http_uri; content:"UserAgent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175;
http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A
reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl
.pdf; classtype:trojan-activity; sid:32823; rev:2;)
Win.Trojan.Darkhotel outbount connection attempt";
flow:to_server,established; content:"/txt/read.php"; fast_pattern:only;
http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center
PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header;
content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy
http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
Win.Trojan.Darkhotel outbound connection"; flow:to_server,established;
content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri;
content:"&a2=step2-down"; fast_pattern:only; http_uri; content:"&a3=";
http_uri; content:"&a4="; http_uri; metadata:impact_flag red, policy
http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf;
Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established;
content:"POST"; http_method; content:"/html/docu.php"; http_uri;
content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0";
within:175; http_header; metadata:impact_flag red, policy balanced-ips
Win.Trojan.Darkhotel response connection attempt";
flow:to_client,established; file_data; content:"DEXT87";
pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag
Absolute Software Computrace outbound connection - 209.53.113.223";
flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|";
fast_pattern:only; http_header; content:"TagId: "; http_header;
reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf;
rev:1;)
Absolute Software Computrace outbound connection - absolute.com";
flow:to_server,established; content:".absolute.com|0D 0A|";
pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy security-ips drop,
rev:1;)
Absolute Software Computrace outbound connection - bh.namequery.com";
flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|";
rev:1;)
Absolute Software Computrace outbound connection namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A|
namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header;
content:"TagId: "; http_header; metadata:policy security-ips drop,
rev:1;)
Absolute Software Computrace outbound connection search.us.namequery.com"; flow:to_server,established; content:"Host|3A|
search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header;
rev:1;)

Absolute Software Computrace outbound connection search2.namequery.com"; flow:to_server,established; content:"Host|3A|
search2.namequery.com|0D 0A|"; fast_pattern:only; http_header;
rev:1;)
Absolute Software Computrace outbound connection search64.namequery.com"; flow:to_server,established; content:"Host|3A|
search64.namequery.com|0D 0A|"; fast_pattern:only; http_header;
rev:1;)
Win.Trojan.Poolfiend variant outbound connection"; flow:to_server,
established; content:"/11/form.php"; fast_pattern:only; http_uri;
content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[az\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11
b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity;
sid:32852; rev:2;)
Win.Trojan.Poolfiend variant outbound connection"; flow:to_server,
established; content:"/11/feed.php"; fast_pattern:only; http_uri;
content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[az\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11
b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity;
sid:32853; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE Potential Redirect from Compromised WordPress site to Fedex Spammed Malware Download attempt"; flow:to_server,established; urilen:1;
content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only;
http_header; content:"Host: www.fedex.com|0D 0A|"; http_header;
pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]
+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.hybridanalysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f03317
43fbee77e56/; classtype:trojan-activity; sid:32888; rev:1;)

Microsoft and libpng multiple products PNG large image width overflow
attempt"; flow:to_server,established; flowbits:isset,file.png; file_data;
byte_test:4,>,32767,0,relative; metadata:ruleset community, service smtp;
reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,20041244; reference:cve,2007-5503; reference:url,sourceforge.net/p/pngmng/mailman/message/33173462/; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-009; classtype:attempted-user; sid:32889;
rev:1;)
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper inbound communication attempt";
flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|";
fast_pattern:only; metadata:impact_flag red, ruleset community;
reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojanactivity; sid:32911; rev:1;)
Win.Trojan.Wiper outbound communication attempt";
flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|";
(msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"|4C 4C|"; depth:2;
offset:16; content:"|75 14 2A 2A|"; within:4; distance:4;
metadata:impact_flag red, ruleset community, service ftp-data, service
http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913;
rev:1;)
flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24
88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community,
service ftp-data, service http, service imap, service pop3;
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR
Win.Trojan.Wiper inbound communication attempt";
flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|";
Win.Trojan.Wiper outbound communication attempt";
flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|";
# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any
(msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt";
flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17;
content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, ruleset
community; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
flow:to_client,established; file_data; content:"Sleepy!
@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red,
ruleset community, service ftp-data, service http, service imap, service
pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojanactivity; sid:32918; rev:1;)
(msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt";
flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A
FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, ruleset
flow:to_client,established; file_data; content:"|AA 64 BA F2 56|";
depth:50; metadata:impact_flag red, ruleset community, service ftp-data,
service http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920;
rev:1;)
flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|";
depth:74; metadata:impact_flag red, ruleset community, service ftp-data,
service http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921;
rev:1;)
(msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt";
flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F
50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22;
rev:1;)
flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4
A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red,
flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13
17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag
red, ruleset community, service ftp-data, service http, service imap,
service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A;
flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B

4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red,
flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02
67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red,
flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|";
ftp-data, service http, service imap, service pop3; reference:url,uscert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927;
rev:1;)
flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35
22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only;
rev:1;)
43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red,
43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47
47|"; fast_pattern:only; metadata:impact_flag red, ruleset community,
flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5
D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red,
flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13
17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red,

flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B
3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only;
rev:1;)
flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4
flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79
(msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt";
flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73
# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy
communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2
1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4;
distance:4; metadata:impact_flag red, ruleset community;
(msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt";
flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5
C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF
C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, ruleset
Android.CoolReaper.Trojan outbound connection"; flow:to_server,
established; content:"POST"; http_method; content:"/dmp/api/";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|UAC/1.0.0 (Android
"; http_header; metadata:impact_flag red, policy balanced-ips drop,
reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d784
5ab50b395d6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity;
sid:32956; rev:2;)

Win.Trojan.TinyZBot outbound SOAP connection attempt";
content:"/checkupdate.asmx"; fast_pattern:only; http_uri;
content:"SOAPAction|3A 20|"; http_header; content:"User-Agent|3A 20|
Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web Services Client
Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|
File)\x22/i"; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da
39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity;
sid:32957; rev:1;)
Win.Trojan.TinyZBot response connection attempt"; flow:to_client,
established; file_data; content:"<?xml";
content:"<soap:Body><GetFileListResponse xmlns=|22|http|3A 2F 2F|";
within:70; distance:200; content:"<GetFileListResult><string>[ALL]__";
within:75; fast_pattern; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da
39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity;
sid:32958; rev:1;)
Win.Trojan.Kuluos variant outbound connection"; flow:to_server,
established; content:"POST"; http_method; content:"/w1/feed.php";
fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|";
http_header; content:!"Accept"; http_header; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5
f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity;
sid:32976; rev:2;)
Win.Trojan.Kuluos variant outbound connection"; flow:to_server,
established; content:"POST"; http_method; content:"/w1/form.php";
fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|";
http_header; content:!"Accept"; http_header; metadata:impact_flag red,
service http;
reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5
f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity;
sid:32977; rev:2;)
known malicious user-agent string - realupdate - Win.Backdoor.Upatre";
realupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy
Win.Backdoor.Medusa variant inbound connection";
flow:to_client,established; dsize:<510; content:"|00|U|00|n|00|d|00|e|00|
r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|
00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|
o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0;

sid:33058; rev:1;)
Win.Backdoor.Medusa variant outbound connection";
content:"/bbc_mirror/"; http_uri; content:"search?id="; distance:0;
security-ips drop, ruleset community, service http; classtype:trojanactivity; sid:33059; rev:1;)
Win.Backdoor.Medusa variant outbound connection";
content:"CNN_Mirror/EN"; http_uri; content:"search?id="; distance:0;
security-ips drop, ruleset community, service http; classtype:trojanactivity; sid:33060; rev:1;)
Win.Trojan.Heur variant outbound connection"; flow:to_server,
established; content:"GET"; http_method; urilen:17;
content:"/01/WindowsUpdate"; fast_pattern:only; http_uri; content:!"UserAgent:"; http_header; content:!"Accept"; http_header;
reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e
5f739f2bc9faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity;
sid:33153; rev:2;)
known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre";
flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|";
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUAADWARE SoftPulse variant HTTP response attempt";
flow:to_client,established; file_data; content:",|22|installerBehavior|
22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|
22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|
22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service ftp-data, service
http, service imap, service pop3;
reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0ad
f6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojanactivity; sid:33212; rev:1;)
Win.Trojan.Gamarue variant outbound connection";
content:"/2ldr.php"; fast_pattern:only; http_uri; content:"User-Agent:
Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560
958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojanactivity; sid:33219; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC

Win.Trojan.HawkEye keylogger exfiltration attempt";
flow:to_server,established; content:"Subject|3A 20|HawkEye Keylogger|20
7C 20|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips
drop, policy security-ips drop, ruleset community, service smtp;
reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708b
f116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity;
sid:33220; rev:2;)
Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and
screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?
B?"; fast_pattern; content:"=?=|0D 0A|"; within:150;
flowbits:set,hawk.lgr; flowbits:noalert; metadata:ruleset community,
service smtp;
sid:33221; rev:2;)
screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr;
content:"=0D=0AClipboard"; fast_pattern:only; content:"=0D=0AKeyboard";
security-ips drop, ruleset community, service smtp;
sid:33222; rev:1;)
screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr;
content:"name=screenshot"; fast_pattern:only;
pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red, policy
smtp;
sid:33223; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATORCOMPROMISE Win.Trojan.Blocker variant outbound connection attempt";
flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT
6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D
0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header;
reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c0257
92de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:miscactivity; sid:33224; rev:1;)
Win.Agent.BHHK variant outbound connection"; flow:to_server,established;
dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent:
Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host:
windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|";
fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15
628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojanactivity; sid:33227; rev:2;)
Win.Trojan.Kovter variant outbound connection";
content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept";
http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi";
reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbdd
ecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity;
sid:33228; rev:3;)
Win.Trojan.Upatre variant outbound connection";
flow:to_server,established; content:"/js/jquery-"; fast_pattern;
http_uri; content:".js?"; within:15; distance:1; http_uri;
pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi"; content:"Referer|3A
reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d0
4dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojanactivity; sid:33282; rev:2;)
flow:to_server,established; content:"/r1xpr/r1xe.html";
(compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527
a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity;
sid:33443; rev:2;)
Win.Trojan.SpyBanker variant outbound connection";
flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/";
(compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db
692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity;
sid:33444; rev:2;)
Win.Trojan.FileEncoder IP geolocation checkin attempt";
5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR
3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|CacheControl: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6
0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity;
sid:33449; rev:1;)
Win.Trojan.FileEncoder variant outbound connection";
flow:to_server,established; content:"POST"; http_method; content:"=";
depth:2; http_client_body; content:"Content-Length: 128|0D 0A|";
fast_pattern:only; http_header; content:"Content-Type: application/x-wwwform-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|";
http_header; content:!"Accept-Language:"; http_header; pcre:"/[az]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e6
0e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity;
sid:33450; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS
Win.Toolbar.Crossrider variant outbound connection";
flow:to_server,established; content:".gif?action="; http_uri;
content:"&browser="; distance:0; http_uri; content:"&osbuild=";
distance:0; http_uri; content:"&osprod="; distance:0; http_uri;
reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d8705
07b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity;
sid:33452; rev:2;)
Win.Trojan.Kovter variant outbound connection";
content:"/12/index.php"; fast_pattern:only; http_uri; content:"UserAgent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like
Gecko|0D 0A|"; http_header; content:!"Accept"; http_header;
reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9
acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojanactivity; sid:33453; rev:2;)
flow:to_server,established; content:"GET"; http_method; content:"UserAgent: http://www.pershop.com.br/"; fast_pattern:only; http_header;
content:".php"; http_uri; content:!"Referer:"; http_header;
content:!"Accept-"; http_header; metadata:impact_flag red, policy
http;
reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06
b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity;
sid:33457; rev:2;)
User-Agent known malicious user agent - ALIZER";
flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|";
http;
reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9
038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity;
sid:33519; rev:1;)
Win.Trojan.Zusy inbound CNC response"; flow:to_client,established;
file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern;
content:"] => "; within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[az\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red,
service http;
sid:33520; rev:1;)
content:"&pcname="; fast_pattern:only; http_client_body; content:"hwid=";
depth:5; http_client_body; content:"&mode="; within:50; http_client_body;
content:"&system="; within:32; http_client_body; content:"&version=";
within:60; http_client_body; metadata:impact_flag red, policy balancedips drop, policy security-ips drop, ruleset community, service http;
sid:33521; rev:1;)
User-Agent known malicious user-agent - DNS Changer";
flow:to_server,established; content:"User-Agent|3A 20|DNS Check|0D 0A|";
http;
reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa934
3ac4f890f0228b964a98c45428cb4e3c/analysis/;
reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bd
b18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity;
sid:33522; rev:1;)
Win.Trojan.DNSChanger variant outbound connection";
flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc
(Mozilla)|0D 0A|"; fast_pattern:only; http_header;
content:"/postinstall.php?"; http_uri; content:"src="; within:5;
http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag
sid:33523; rev:1;)
Win.Trojan.DNSChanger variant outbound connection";
flow:to_server,established; content:"/updateb.xml?"; fast_pattern:only;
http_uri; content:"rnd="; http_uri; content:"&spfail="; within:20;
http_uri; content:"&guid="; within:15; http_uri; metadata:impact_flag
sid:33524; rev:1;)
Win.Trojan.Turla outbound connection"; flow:to_server,established;
content:"POST"; http_method; content:"?uid="; http_uri;
content:"&context="; distance:0; http_uri; content:"&mode=text";
distance:0; fast_pattern; http_uri; content:"&data="; distance:0;
reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f666
6f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity;
sid:33547; rev:2;)
malware domain tracking-recipient.net46.net - Win.Cossta";
flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|tracking-recipient|
05|net46|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy
dns;
reference:url,www.virustotal.com/en/file/cdaa661e2b5913997f4d905e0490bd8d
9069a0c9f90a13944d5d3e1d6d1f2089/analysis/; classtype:trojan-activity;
sid:33560; rev:1;)
Linux.Trojan.XORDDoS outbound connection attempt";
flow:to_server,established; urilen:<64; content:"GET"; http_method;
content:"/check.action?iid="; http_uri; content:"&kernel="; within:8;
distance:32; http_uri; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a1
28b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity;
sid:33646; rev:1;)
flow:to_server,established; urilen:>100; content:"POST"; http_method;
content:"/submit.action?username="; http_uri; content:"&password=";
within:30; http_uri; content:".tgz"; distance:0; http_uri;
sid:33647; rev:1;)
flow:to_server,established; urilen:>100; content:"GET"; http_method;
content:"/compiler.action?iid="; http_uri; content:"&username=";
within:10; distance:32; http_uri; content:"&password="; within:30;
distance:1; http_uri; content:"&kernel="; distance:0; http_uri;
sid:33648; rev:1;)

User-Agent known malicious user agent - Google Omaha Win.Trojan.ExtenBro"; flow:to_server,established; content:"User-Agent:
Google Omaha|0D 0A|"; fast_pattern:only; http_header; metadata:policy
http;
reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3ba
c129a2b5fd4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity;
sid:33649; rev:1;)
Win.Trojan.Tinba outbound connection attempt";
content:"/preview/"; http_uri; content:"Content-Length: 157|0D 0A|";
http_header; content:!"User-Agent|3A 20|"; http_header; content:"|00 80
00 00 00|"; depth:5; offset:24; http_client_body; metadata:impact_flag
reference:url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1
c159bdafa037be39ac062bdaeeb1f621/analysis/; classtype:trojan-activity;
sid:33650; rev:1;)
Win.Trojan.Babar outbound connection"; flow:to_server,established;
content:"/bb/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0
(compatible|3B| MSI 6.0|3B|"; fast_pattern:only; http_header;
reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d
023d906e6ee609b79c643d9034938ebf/analysis/; classtype:trojan-activity;
sid:33677; rev:1;)
Win.Trojan.FannyWorm outbound connection attempt";
flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0
(compatible|3B|)|0D 0A|"; fast_pattern:only; http_header;
content:"/ads/QueryRecord"; http_uri; content:".html"; within:25;
reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d
0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity;
sid:33678; rev:1;)
Microsoft emf file download request"; flow:to_server,established;
flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40;
reference:cve,2007-5746; reference:url,technet.microsoft.com/enus/security/bulletin/MS04-011; reference:url,technet.microsoft.com/enus/security/bulletin/MS04-032; reference:url,technet.microsoft.com/enus/security/bulletin/MS05-053; reference:url,technet.microsoft.com/enus/security/bulletin/MS06-001; classtype:misc-activity; sid:33740;
rev:1;)
Adware Goobzo/CrossRider variant outbound connection";
flow:to_server,established; content:"/install.ashx?id=";
fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc
(Mozilla)|0D 0A|"; http_header; metadata:ruleset community, service http;

reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e9
90288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity;
sid:33815; rev:1;)
Adware Goobzo/CrossRider variant outbound connection";
flow:to_server,established; content:"/ping.ashx?action=";
fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff=";
distance:0; http_uri; metadata:ruleset community, service http;
reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e9
90288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity;
sid:33816; rev:1;)
Win.Trojan.Egamipload variant outbound connection";
content:"/service/related?sector="; fast_pattern:only; http_uri;
content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|
Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips
reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc1
05b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity;
sid:33822; rev:1;)
User-Agent adware OutBrowse/Amonitize"; flow:to_server,established;
content:"User-Agent|3A 20|"; http_header; content:" Loader|0D 0A|";
within:150; fast_pattern; http_header; metadata:ruleset community,
content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|";
within:150; fast_pattern; http_header; metadata:ruleset community,
content:"User-Agent|3A 20|"; http_header; content:" in my heart of
heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:ruleset
Win.Trojan.Poseidon outbound connection"; flow:established,to_server;
content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B|
Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|
3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; fast_pattern:only;
http_header; content:"uid="; depth:4; http_client_body;
content:"&uinfo="; within:26; http_client_body; content:"&win=";
distance:0; http_client_body; content:"&bits="; within:6; distance:3;
http_client_body; content:"&build="; within:20; distance:8;
reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojanactivity; sid:33851; rev:2;)
Win.Trojan.Poseidon outbound connection"; flow:established,to_server;
content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B|
Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|
3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header;

content:"oprat="; depth:6; http_client_body; content:"&uinfo=";
within:10; distance:23; http_client_body; content:"&win="; distance:0;
http_client_body; content:"&vers="; within:6; distance:3;
reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojanactivity; sid:33852; rev:2;)
Win.Trojan.Gh0st variant outbound connection";
flow:to_server,established; content:"KrisR"; depth:5; content:"|00 00
00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4;
distance:2; metadata:impact_flag red, policy balanced-ips drop, policy
reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f
8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojanactivity; sid:33885; rev:1;)
Win.Trojan.VBPasswordStealer variant outbound connection";
flow:to_server,established; content:"/index.php?"; http_uri;
content:"action=add"; fast_pattern; http_uri; content:"&username=";
distance:0; http_uri; content:"&password="; distance:0; http_uri;
content:"&app="; distance:0; http_uri; content:"&pcname="; distance:0;
http_uri; content:"&sitename="; distance:0; http_uri; content:!"Accept";
http_header; content:!"Connection"; http_header; metadata:impact_flag
reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c3
8f6e640be783a511049d8e5006cac011/analysis/; classtype:trojan-activity;
sid:34047; rev:1;)
InstallMetrix precheck stage outbound connection";
flow:to_server,established; content:"/installer_gate_client.php?";
fast_pattern:only; http_uri; content:"download_id="; http_uri;
content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept";
http_header; content:!"Connection"; http_header; metadata:ruleset
reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45
d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:miscactivity; sid:34119; rev:1;)
InstallMetrix fetch offers stage outbound connection";
flow:to_server,established; content:"/installer_gate_client.php?";
fast_pattern:only; http_uri; content:"download_id="; http_uri;
content:"&mode=getcombo"; distance:0; http_uri; content:"&offers=";
distance:0; http_uri; content:!"Accept"; http_header;
content:!"Connection"; http_header; metadata:ruleset community, service
http;
InstallMetrix reporting binary installation stage status";
flow:to_server,established; content:"POST"; http_method; content:"User-
Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header;

content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|
environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|
22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0;
http_client_body; content:"|22|failure_reason|22|"; distance:0;
http_client_body; metadata:ruleset community, service http;
InstallMetrix reporting fetch offers stage status";
flow:to_server,established; content:"/report.php?"; http_uri;
content:"download_id="; distance:0; http_uri; content:"&mode=";
distance:0; http_uri; content:"&combo_id="; distance:0; http_uri;
content:"&os_name="; distance:0; http_uri; content:"&os_add=";
distance:0; http_uri; content:"&os_build="; distance:0; http_uri;
content:"&proj_id="; distance:0; http_uri; content:"&offer_id=";
distance:0; http_uri; content:!"Connection"; http_header;
User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A
20|Vitruvian"; fast_pattern:only; http_header; metadata:ruleset
reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faa
ad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:miscactivity; sid:34125; rev:1;)
Vitruvian outbound connection"; flow:to_server,established;
content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid=";
distance:0; http_uri; content:"&tr="; distance:0; http_uri;
content:"&a="; distance:0; http_uri; content:"&adm="; distance:0;
http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A
20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.";
Vitruvian outbound connection"; flow:to_server,established;
content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st=";
distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|
3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header;
alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Banload variant MSSQL response"; flow:to_client,established;
content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|
00|a|00|s|00|t|00|e|00|r|00|"; fast_pattern:only; content:"|08|D|00|B|00|
S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:policy balanced-ips drop,

reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe1
62d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity;
sid:34136; rev:1;)
SearchProtect user-agent detection"; flow:to_server,established;
content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only;
reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a
1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity;
sid:34137; rev:2;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC
Win.Trojan.Dyre publickey outbound connection attempt";
flow:to_client,established; content:"|00 DE C5 45 99 14 1E F5 7E 56 78 DF
23 CE 8A 12|"; fast_pattern:only; content:"LvtfOWStYYHNbdiE15aNsOyg";
service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bankcredentials-bypasses-ssl;
reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f15375
8fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity;
sid:34140; rev:1;)
SuperOptimizer installation status"; flow:to_server,established;
content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|";
fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15;
offset:1; http_client_body; content:"|22|installation_session_id|22|";
within:100; http_client_body; content:"|22|environment|22|"; distance:0;
http_client_body; content:"|22|command_line|22|"; distance:0;
reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac
365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:miscactivity; sid:34144; rev:1;)
SuperOptimizer encrypted data transmission"; flow:to_server,established;
content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|";
fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20;
offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0;
SuperOptimizer geolocation request"; flow:to_server,established;
content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"UserAgent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:ruleset
42142
1421421421421421421421421421421421421421421421421421421421421421421421421
4214214214214214214214214214214214214214214214214214214214214214214214214
2142142142142142142142142142142142142142142142142142142142142142142142142
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
422422422422422422422422422422422422422422422422422422422422422422422422c
ommunityrules/AUTHORS42
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422000064442200022724220002272422000000132234221251554013742201555
6422
042
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
422422ustar
422vrtbuild42242242242242242242242242242242242242242242242242242242242242
2422422422vrtbuild4224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422422422422422422422
4224224224224224224224224224224224224224224224224224224224224224224224224
2242242242242242242242242242242242242242242242242242242242242242242242242
2422422422422422422422422422422422422422422422422422422## This file
contains the information about the authors of the Community ruleset.
## Each author will be listed and the SIDs associated with those authors
are listed underneath their names
## The VRT would like to thank each author for contributing to the
ruleset.
## To contribute to this ruleset, please email research [] sourcefire.com
Jason Wallace
21246
21255
21256
21257
21267
21442
21266
21818
21819
21820
21821
21822
21823
21824
21825
21826
21827
21828
21829
21830
21831
21832
21833
21834
21835
21836
21837
21838
21839
21840
21841
21842
21843
21475
Nick Randolph
21327
Nathan Fowler
21375
21417
21438
24226
24227
21562
26814
26576
26577
26618
26838
26948
26947
26949
26950
26951
26985
27085
27086
27087
27088
31455
Frederick Stankowski
21443
21444
Eoin Miller
21845
21846
21847
21848
21849
21850
21851
22061
Alexandre Menezes
22957
22958
22959
22960
24031
24032
24033
24034
26916
26917
26918
26919
26920
29761
29762
29763
29763
29764
29765
29766
29767
29768
29769
29770
29771
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781
29832
29833
29834
29835
29836
29837
29838
29839
29840
29841
29842
29843
29844
29845
29846
29847
29848
29849
29850
29851
29852
29853
29854
29855
29856
29857
29858
James Lay
23179
24017
24171
24102
24225
24265
24251
24265
24253
24254
24598
25948
26380
26381
26382
26467
26483
26522
26585
26655
26656
26658
26659
26698
26719
26720
26725
26726
26727
26728
26729
26730
26731
26732
26733
26734
26735
26736
26737
26738
26739
26740
26741
26742
26743
26744
26745
26746
26747
26748
26749
26750
26810
26834
26837
26839
26948
26947
26949
26950
26951
26965
27039
27040
27041
27042
27047
27144
27145
27203
27599
27726
27727
27728
28007
28008
28009
28010
28011
28079
28215
29816
29817
29829
29830
29831
30065
30066
30549
31293
33513
Brett Caldwell
23481
23482
23621
23795
23636
Avery Tarasov
24255
25809
24798
24885
24886
25050
25119
25224
25256
25258
25259
25269
25271
25277
25471
25503
25504
25511
25577
25578
25579
25580
25627
25652
25660
25675
25765
25766
25807
25829
25854
25946
25947
25949
26023
26024
26075
26106
26211
26212
26264
26265
26286
26287
26288
26289
25054
25257
26319
26325
26327
26335
26370
26371
26398
26470
26480
26481
26482
26533
26560
26561
26562
26563
26580
26581
26582
26583
26589
26612
26613
26614
26654
26657
26660
26696
26697
26718
26722
26723
26752
26762
26774
26775
26776
26779
26780
26781
26782
26811
26812
26835
26836
26910
26911
26912
26913
26914
26915
26924
26966
26968
26969
26970
26971
26984
27017
27043
27044
27045
27146
27155
27180
27181
27199
27200
27201
27202
27204
27247
27248
27252
27253
27254
27255
27256
27257
27533
27534
27535
27537
27538
27566
27596
27632
27633
27648
27649
27680
27774
27775
27865
27918
27919
27965
28004
28012
28080
28114
28115
28116
28117
28118
28119
28120
28121
28122
28123
28147
28148
28152
28153
28154
28155
28156
28192
28193
28255
28285
28293
28294
28295
28296
28297
28302
28404
28405
28406
28445
28446
28541
28542
28543
28044
28540
28800
28801
28802
28803
28804
28805
28806
28807
28539
28809
28810
28814
28815
28918
28919
28945
28959
28960
28976
28977
29030
29031
29167
29126
29127
29216
29217
29220
29259
29260
29261
29262
29263
29300
29349
29395
29664
29665
29824
29825
29826
29827
29828
29832
29833
29862
29863
29865
29875
29882
29884
29891
29894
29895
29897
30067
30068
30091
30234
30255
30256
30257
30258
30259
30260
30261
30262
30543
30544
30545
30546
30547
30548
30550
30551
30552
30567
30568
30569
30570
30914
30915
30918
30919
30949
30997
30998
30999
31000
31001
31034
31035
31036
31221
31222
31262
31294
31295
31315
31112
31113
31243
31244
31260
31261
31442
31452
31453
31454
31456
31457
31458
31463
31464
31465
31466
31467
31468
31472
31530
31507
31680
31681
31682
31683
31639
31640
31641
31642
31649
31820
31824
31825
31826
31827
31829
31916
31917
31918
31919
31920
31921
31922
31923
31924
31964
31973
31990
31991
32008
32130
32196
32225
32367
32374
32385
32531
32583
32584
32604
32605
32606
32607
32608
32852
32853
32888
33212
33219
33224
33227
33228
33443
33444
33449
33450
33453
33457
33519
33520
33560
33649
Randy Miller
25518
25519
25520
25521
25522
25523
25524
25525
Joerg Weber
26020
Yaser Mansour
26395
26396
26399
26400
26401
26402
26403
26404
26405
26406
26407
26408
26409
26411
26412
26413
26553
26554
26555
26556
27567
27625
27626
27627
27628
27629
27630
27631
27707
27708
27801
27802
27803
27804
27913
27914
27915
27916
27917
28005
28006
28033
28034
28035
28036
28042
28105
28106
28107
28300
28552
28553
28554
28555
28556
28557
28940
28950
28951
28952
28953
28954
29492
29493
29494
29567
29568
29569
29666
29864
30069
30070
30071
30072
30288
30795
30796
30824
30825
30826
30827
30828
30829
30830
30831
30832
30833
30834
30835
30836
30837
30838
30839
30840
30841
30842
31053
31070
31084
31531
31593
31600
31601
31602
31603
31604
31605
31606
31607
31830
31831
31965
31966
31967
31968
31969
31970
31971
31972
32065
32066
32067
32776
32823
32824
32825
32826
32827
32956
32957
32958
33207
33220
33221
33222
33223
32976
32977
33281
33282
33522
33523
33524
33547
33646
33647
33648
33650
33677
33678
33815
33816
33818
33819
33820
33821
33822
34137
34144
34145
34146
rmkml
26468
26469
Eddie Mitchell
26526
26578
26579
Dell SecureWorks
26558
Hank Leininger
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
Paul Bottomley
26695
26923
27246
27565
27805
Christopher Hall
26842
Brandon Kendall
26925
Adam Gardner
27865
Nick Mavis
28344
31455
Caleb Jaren, Microsoft
28913
Tony Robinson
29760
29788
29789
29790
29791
29761
29762
29763
29763
29764
29765
29766
29767
29768
29769
29770
29771
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781
32665
32666
32667
32670
BAE
30191
Red Sky Alliance
33047
33058
33059
33060
43943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
39439439439439439439439439439439439439439439439439439439439439439439commu
nityrules/LICENSE43
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439000064443900022724390002272439000000354274391212221774343901552
3439
043
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
439439ustar
439vrtbuild43943943943943943943943943943943943943943943943943943943943943
9439439439vrtbuild4394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439439439439439439439
4394394394394394394394394394394394394394394394394394394394394394394394394
3943943943943943943943943943943943943943943943943943943943943943943943943
9439439439439439439439439439439439439439439439439439439
GNU
GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.

59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that
whole or in part contains or is
part thereof, to be licensed as
parties under the terms of this
you distribute or publish, that in

derived from the Program or any
a whole at no charge to all third
License.
c) If the modified program normally reads commands interactively

when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If

identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange;
or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering

access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program

except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to

be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in

certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free
Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO
WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER
EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY

OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
44944
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449community-rules/sidmsg.map44
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944900
00644449000227244900022724490000136276644912517366410449016576449
044
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449449449449449449449
449449ustar
449vrtbuild44944944944944944944944944944944944944944944944944944944944944
9449449449vrtbuild4494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449449449449449449449
4494494494494494494494494494494494494494494494494494494494494494494494494
4944944944944944944944944944944944944944944944944944944944944944944944944
9449449449449449449449449449449449449449449449449449449105 || MALWAREBACKDOOR - Dagger_1.4.0
108 || MALWARE-BACKDOOR QAZ Worm Client Login access || mcafee,98775
110 || MALWARE-BACKDOOR netbus getinfo
115 || MALWARE-BACKDOOR NetBus Pro 2.0 connection established
117 || MALWARE-BACKDOOR Infector.1.x || nessus,11157
118 || MALWARE-BACKDOOR SatansBackdoor.2.0.Beta ||
url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html ||
url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260
119 || MALWARE-BACKDOOR Doly 2.0 access
121 || MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request
|| nessus,11157
141 || MALWARE-BACKDOOR HackAttack 1.20 Connect
144 || PROTOCOL-FTP ADMw0rm ftp login attempt
146 || MALWARE-BACKDOOR NetSphere access
147 || MALWARE-BACKDOOR GateCrasher ||
url,www.spywareguide.com/product_show.php?id=973
152 || MALWARE-BACKDOOR BackConstruction 2.1 Connection

157 || MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request
158 || MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply
161 || MALWARE-BACKDOOR Matrix 2.0 Client connect
162 || MALWARE-BACKDOOR Matrix 2.0 Server access
163 || MALWARE-BACKDOOR WinCrash 1.0 Server Active
185 || MALWARE-BACKDOOR CDK
195 || MALWARE-BACKDOOR DeepThroat 3.1 Server Response || mcafee,98574 ||
nessus,10053
208 || MALWARE-BACKDOOR PhaseZero Server Active on Network ||
url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html ||
url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539
209 || MALWARE-BACKDOOR w00w00 attempt
210 || MALWARE-BACKDOOR attempt
211 || MALWARE-BACKDOOR MISC r00t attempt
212 || MALWARE-BACKDOOR MISC rewt attempt
213 || MALWARE-BACKDOOR MISC Linux rootkit attempt
214 || MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x
215 || MALWARE-BACKDOOR MISC Linux rootkit attempt
216 || MALWARE-BACKDOOR MISC Linux rootkit satori attempt
217 || MALWARE-BACKDOOR MISC sm4ck attempt
218 || MALWARE-BACKDOOR MISC Solaris 2.5 attempt
219 || MALWARE-BACKDOOR HidePak backdoor attempt
220 || MALWARE-BACKDOOR HideSource backdoor attempt
221 || PROTOCOL-ICMP TFN Probe || cve,2000-0138
222 || PROTOCOL-ICMP tfn2k icmp possible communication || cve,2000-0138
223 || MALWARE-OTHER Trin00 Daemon to Master PONG message detected ||
cve,2000-0138
224 || PROTOCOL-ICMP Stacheldraht server spoof || cve,2000-0138
225 || PROTOCOL-ICMP Stacheldraht gag server response || cve,2000-0138
226 || PROTOCOL-ICMP Stacheldraht server response || cve,2000-0138
227 || PROTOCOL-ICMP Stacheldraht client spoofworks || cve,2000-0138
228 || PROTOCOL-ICMP TFN client command BE || cve,2000-0138
229 || PROTOCOL-ICMP Stacheldraht client check skillz || cve,2000-0138
230 || MALWARE-OTHER shaft client login to handler || cve,2000-0138 ||
url,security.royans.net/info/posts/bugtraq_ddos3.shtml
231 || MALWARE-OTHER Trin00 Daemon to Master message detected ||
cve,2000-0138
232 || MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected ||
cve,2000-0138 || url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm
233 || MALWARE-OTHER Trin00 Attacker to Master default startup password
|| cve,2000-0138
234 || MALWARE-OTHER Trin00 Attacker to Master default password ||
cve,2000-0138
235 || MALWARE-OTHER Trin00 Attacker to Master default mdie password ||
cve,2000-0138
236 || PROTOCOL-ICMP Stacheldraht client check gag || cve,2000-0138
237 || MALWARE-OTHER Trin00 Master to Daemon default password attempt ||
cve,2000-0138
238 || PROTOCOL-ICMP TFN server response || cve,2000-0138
239 || MALWARE-OTHER shaft handler to agent || cve,2000-0138
240 || MALWARE-OTHER shaft agent to handler || cve,2000-0138
243 || MALWARE-OTHER mstream agent to handler || cve,2000-0138
244 || MALWARE-OTHER mstream handler to agent || cve,2000-0138
245 || MALWARE-OTHER mstream handler ping to agent || cve,2000-0138

246 || MALWARE-OTHER mstream agent pong to handler || cve,2000-0138
247 || MALWARE-OTHER mstream client to handler || cve,2000-0138
248 || MALWARE-OTHER mstream handler to client || cve,2000-0138
250 || MALWARE-OTHER mstream handler to client || cve,2000-0138
251 || PROTOCOL-ICMP - TFN client command LE || cve,2000-0138
253 || PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no
authority
254 || PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no
authority
255 || PROTOCOL-DNS dns zone transfer via TCP detected || cve,1999-0532
|| nessus,10595
256 || PROTOCOL-DNS named authors attempt || nessus,10728
257 || PROTOCOL-DNS named version attempt || nessus,10028
258 || SERVER-OTHER Bind Buffer Overflow via NXT records || bugtraq,788
|| cve,1999-0833
259 || SERVER-OTHER Bind Buffer Overflow via NXT records named overflow
ADM || bugtraq,788 || cve,1999-0833
260 || SERVER-OTHER Bind Buffer Overflow via NXT records named overflow
ADMROCKS || bugtraq,788 || cve,1999-0833 ||
url,www.cert.org/advisories/CA-1999-14.html
261 || SERVER-OTHER Bind named overflow attempt ||
262 || OS-LINUX OS-LINUX x86 Linux overflow attempt
264 || OS-LINUX OS-LINUX x86 Linux overflow attempt
265 || OS-LINUX OS-LINUX x86 Linux overflow attempt ADMv2
266 || OS-OTHER OS-OTHER x86 FreeBSD overflow attempt
267 || OS-SOLARIS EXPLOIT sparc overflow attempt
271 || SERVER-OTHER UDP echo+chargen bomb || cve,1999-0103 || cve,19990635
272 || OS-WINDOWS Microsoft WIndows IGMP dos attack || bugtraq,514 ||
cve,1999-0918 || url,technet.microsoft.com/en-us/security/bulletin/MS99034
274 || PROTOCOL-ICMP ath || cve,1999-1228
276 || SERVER-OTHER RealNetworks Audio Server denial of service attempt
|| cve,1999-0271 || nessus,10183
277 || SERVER-OTHER RealNetworks Server template.html || bugtraq,1288 ||
cve,2000-0474 || nessus,10461
278 || SERVER-OTHER RealNetworks Server template.html || bugtraq,1288 ||
cve,2000-0474
279 || SERVER-OTHER Bay/Nortel Nautica Marlin || bugtraq,1009 ||
cve,2000-0221
281 || SERVER-OTHER Ascend Route || bugtraq,714 || cve,1999-0060
283 || BROWSER-OTHER Netscape 4.7 client overflow || bugtraq,822 ||
cve,1999-1189 || cve,2000-1187
286 || PROTOCOL-POP EXPLOIT x86 BSD overflow || bugtraq,133 || cve,19990006 || nessus,10196
287 || PROTOCOL-POP EXPLOIT x86 BSD overflow
288 || PROTOCOL-POP EXPLOIT x86 Linux overflow
289 || PROTOCOL-POP EXPLOIT x86 SCO overflow || bugtraq,133 ||
bugtraq,156 || cve,1999-0006
290 || PROTOCOL-POP EXPLOIT qpopper overflow || bugtraq,830 || cve,19990822 || nessus,10184
292 || OS-LINUX x86 Linux samba overflow || bugtraq,1816 || bugtraq,536

|| cve,1999-0182 || cve,1999-0811
300 || OS-SOLARIS Oracle Solaris npls x86 overflow || bugtraq,2319 ||
cve,1999-1588
301 || SERVER-OTHER LPRng overflow || bugtraq,1712 || cve,2000-0917
302 || OS-LINUX Redhat 7.0 lprd overflow || bugtraq,1712 || cve,2000-0917
303 || SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt ||
bugtraq,2302 || cve,2001-0010 || nessus,10605
304 || SERVER-OTHER SCO calserver overflow || bugtraq,2353 || cve,20000306
305 || SERVER-OTHER delegate proxy overflow || bugtraq,808 || cve,20000165
306 || SERVER-OTHER VQServer admin || bugtraq,1610 || cve,2000-0766 ||
nessus,10354 || url,www.vqsoft.com/vq/server/docs/other/control.html
307 || SERVER-OTHER CHAT IRC topic overflow || bugtraq,573 || cve,19990672
308 || SERVER-OTHER NextFTP client overflow || bugtraq,572 || cve,19990671
309 || SERVER-MAIL sniffit overflow || bugtraq,1158 || cve,2000-0343
310 || SERVER-MAIL x86 windows MailMax overflow || bugtraq,2312 ||
cve,1999-0404
311 || BROWSER-OTHER Netscape 4.7 unsucessful overflow || bugtraq,822 ||
cve,1999-1189 || cve,2000-1187
313 || OS-LINUX ntalkd x86 Linux overflow || bugtraq,210
314 || SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt ||
bugtraq,2302 || cve,2001-0010
315 || OS-LINUX x86 Linux mountd overflow || bugtraq,121 || cve,1999-0002
320 || PROTOCOL-FINGER cmd_rootsh backdoor attempt || nessus,10070 ||
url,www.sans.org/y2k/TFN_toolkit.htm || url,www.sans.org/y2k/fingerd.htm
321 || PROTOCOL-FINGER account enumeration attempt || nessus,10788
322 || PROTOCOL-FINGER search query || cve,1999-0259
323 || PROTOCOL-FINGER root query
324 || PROTOCOL-FINGER null request || cve,1999-0612
326 || PROTOCOL-FINGER remote command execution attempt || bugtraq,974 ||
cve,1999-0150
327 || PROTOCOL-FINGER remote command pipe execution attempt ||
bugtraq,2220 || cve,1999-0152
328 || PROTOCOL-FINGER bomb attempt || cve,1999-0106
330 || PROTOCOL-FINGER redirection attempt || cve,1999-0105 ||
nessus,10073
331 || PROTOCOL-FINGER cybercop query || cve,1999-0612
332 || PROTOCOL-FINGER 0 query || cve,1999-0197 || nessus,10069
333 || PROTOCOL-FINGER . query || cve,1999-0198 || nessus,10072
334 || PROTOCOL-FTP .forward
335 || PROTOCOL-FTP .rhosts
336 || PROTOCOL-FTP CWD ~root attempt || cve,1999-0082
337 || PROTOCOL-FTP CEL overflow attempt || bugtraq,679 || cve,1999-0789
|| nessus,10009
353 || PROTOCOL-FTP adm scan
354 || PROTOCOL-FTP iss scan
355 || PROTOCOL-FTP pass wh00t
356 || PROTOCOL-FTP passwd retrieval attempt
357 || PROTOCOL-FTP piss scan ||

url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html
358 || PROTOCOL-FTP saint scan
359 || PROTOCOL-FTP satan scan
360 || PROTOCOL-FTP serv-u directory traversal || bugtraq,2052 ||
cve,2001-0054 || nessus,10565
361 || PROTOCOL-FTP SITE EXEC attempt || bugtraq,2241 || cve,1999-0080 ||
cve,1999-0955
362 || PROTOCOL-FTP tar parameters || bugtraq,2240 || cve,1999-0202 ||
cve,1999-0997
363 || PROTOCOL-ICMP IRDP router advertisement || bugtraq,578 ||
cve,1999-0875
364 || PROTOCOL-ICMP IRDP router selection || bugtraq,578 || cve,19990875
365 || PROTOCOL-ICMP PING undefined code
366 || PROTOCOL-ICMP PING *NIX
368 || PROTOCOL-ICMP PING BSDtype
369 || PROTOCOL-ICMP PING BayRS Router
370 || PROTOCOL-ICMP PING BeOS4.x
371 || PROTOCOL-ICMP PING Cisco Type.x
372 || PROTOCOL-ICMP PING Delphi-Piette Windows
373 || PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software
374 || PROTOCOL-ICMP PING IP NetMonitor Macintosh
375 || PROTOCOL-ICMP PING LINUX/*BSD
376 || PROTOCOL-ICMP PING Microsoft Windows
377 || PROTOCOL-ICMP PING Network Toolbox 3 Windows
378 || PROTOCOL-ICMP PING Ping-O-MeterWindows
379 || PROTOCOL-ICMP PING Pinger Windows
380 || PROTOCOL-ICMP PING Seer Windows
381 || PROTOCOL-ICMP PING Oracle Solaris
382 || PROTOCOL-ICMP PING Windows
384 || PROTOCOL-ICMP PING
385 || PROTOCOL-ICMP traceroute
386 || PROTOCOL-ICMP Address Mask Reply
387 || PROTOCOL-ICMP Address Mask Reply undefined code
388 || PROTOCOL-ICMP Address Mask Request
389 || PROTOCOL-ICMP Address Mask Request undefined code
390 || PROTOCOL-ICMP Alternate Host Address
391 || PROTOCOL-ICMP Alternate Host Address undefined code
392 || PROTOCOL-ICMP Datagram Conversion Error
393 || PROTOCOL-ICMP Datagram Conversion Error undefined code
394 || PROTOCOL-ICMP Destination Unreachable Destination Host Unknown
395 || PROTOCOL-ICMP Destination Unreachable Destination Network Unknown
396 || PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF
bit was set || cve,2004-0790 || cve,2005-0068
397 || PROTOCOL-ICMP Destination Unreachable Host Precedence Violation
398 || PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of
Service
399 || PROTOCOL-ICMP Destination Unreachable Host Unreachable
400 || PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type
of Service
401 || PROTOCOL-ICMP Destination Unreachable Network Unreachable
402 || PROTOCOL-ICMP Destination Unreachable Port Unreachable ||
cve,2004-0790 || cve,2005-0068
403 || PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect

404 || PROTOCOL-ICMP Destination Unreachable Protocol Unreachable ||
cve,2004-0790 || cve,2005-0068
405 || PROTOCOL-ICMP Destination Unreachable Source Host Isolated
406 || PROTOCOL-ICMP Destination Unreachable Source Route Failed
407 || PROTOCOL-ICMP Destination Unreachable cndefined code
408 || PROTOCOL-ICMP Echo Reply
409 || PROTOCOL-ICMP Echo Reply undefined code
410 || PROTOCOL-ICMP Fragment Reassembly Time Exceeded
411 || PROTOCOL-ICMP IPV6 I-Am-Here
412 || PROTOCOL-ICMP IPV6 I-Am-Here undefined code
413 || PROTOCOL-ICMP IPV6 Where-Are-You
414 || PROTOCOL-ICMP IPV6 Where-Are-You undefined code
415 || PROTOCOL-ICMP Information Reply
416 || PROTOCOL-ICMP Information Reply undefined code
417 || PROTOCOL-ICMP Information Request
418 || PROTOCOL-ICMP Information Request undefined code
419 || PROTOCOL-ICMP Mobile Host Redirect
420 || PROTOCOL-ICMP Mobile Host Redirect undefined code
421 || PROTOCOL-ICMP Mobile Registration Reply
422 || PROTOCOL-ICMP Mobile Registration Reply undefined code
423 || PROTOCOL-ICMP Mobile Registration Request
424 || PROTOCOL-ICMP Mobile Registration Request undefined code
425 || PROTOCOL-ICMP Parameter Problem Bad Length
426 || PROTOCOL-ICMP Parameter Problem Missing a Required Option
427 || PROTOCOL-ICMP Parameter Problem Unspecified Error
428 || PROTOCOL-ICMP Parameter Problem undefined Code
429 || PROTOCOL-ICMP Photuris Reserved
430 || PROTOCOL-ICMP Photuris Unknown Security Parameters Index
431 || PROTOCOL-ICMP Photuris Valid Security Parameters, But
Authentication Failed
432 || PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption
Failed
433 || PROTOCOL-ICMP Photuris undefined code!
436 || PROTOCOL-ICMP Redirect for TOS and Host || cve,1999-0265
437 || PROTOCOL-ICMP Redirect for TOS and Network || cve,1999-0265
438 || PROTOCOL-ICMP Redirect undefined code || cve,1999-0265
439 || PROTOCOL-ICMP Reserved for Security Type 19
440 || PROTOCOL-ICMP Reserved for Security Type 19 undefined code
441 || PROTOCOL-ICMP Router Advertisement
443 || PROTOCOL-ICMP Router Selection
445 || PROTOCOL-ICMP SKIP
446 || PROTOCOL-ICMP SKIP undefined code
448 || PROTOCOL-ICMP Source Quench undefined code
449 || PROTOCOL-ICMP Time-To-Live Exceeded in Transit
450 || PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code
451 || PROTOCOL-ICMP Timestamp Reply
452 || PROTOCOL-ICMP Timestamp Reply undefined code
453 || PROTOCOL-ICMP Timestamp Request
454 || PROTOCOL-ICMP Timestamp Request undefined code
456 || PROTOCOL-ICMP Traceroute
457 || PROTOCOL-ICMP Traceroute undefined code
458 || PROTOCOL-ICMP unassigned type 1
459 || PROTOCOL-ICMP unassigned type 1 undefined code

461 || PROTOCOL-ICMP unassigned type 2 undefined code
463 || PROTOCOL-ICMP unassigned type 7 undefined code || cve,1999-0454
465 || PROTOCOL-ICMP ISS Pinger
466 || PROTOCOL-ICMP L3retriever Ping
467 || PROTOCOL-ICMP Nemesis v1.1 Echo
474 || PROTOCOL-ICMP superscan echo
476 || PROTOCOL-ICMP webtrends scanner
480 || PROTOCOL-ICMP PING speedera
481 || PROTOCOL-ICMP TJPingPro1.1Build 2 Windows
482 || PROTOCOL-ICMP PING WhatsupGold Windows
483 || PROTOCOL-ICMP PING CyberKit 2.2 Windows
484 || PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan
489 || PROTOCOL-FTP no password
490 || SERVER-MAIL battle-mail traffic
491 || PROTOCOL-FTP Bad login
492 || PROTOCOL-TELNET login failed
493 || APP-DETECT psyBNC access
494 || INDICATOR-COMPROMISE command completed || bugtraq,1806 ||
cve,2000-0884 || url,osvdb.org/show/osvdb/436 ||
url,technet.microsoft.com/en-us/security/bulletin/ms00-078
495 || INDICATOR-COMPROMISE command error
497 || INDICATOR-COMPROMISE file copied ok || bugtraq,1806 || cve,20000884
498 || INDICATOR-COMPROMISE id check returned root
505 || SERVER-OTHER Insecure TIMBUKTU Password
507 || PUA-OTHER PCAnywhere Attempted Administrator Login
508 || SERVER-OTHER gopher proxy
509 || SERVER-WEBAPP PCCS mysql database admin tool access ||
510 || POLICY-OTHER HP JetDirect LCD modification attempt || bugtraq,2245
512 || PUA-OTHER PCAnywhere Failed Login
514 || SERVER-OTHER ramen worm
516 || PROTOCOL-SNMP NT UserList || nessus,10546
517 || X11 xdmcp query
518 || PROTOCOL-TFTP Put || cve,1999-0183 ||
url,dev.metasploit.com/redmine/projects/framework/repository/revisions/b7
3f28f29511d154aed9e94dd262195db60c7e3b/entry/unstablemodules/auxiliary/d20tftpbd.rb
519 || PROTOCOL-TFTP parent directory || cve,1999-0183 || cve,2002-1209
520 || PROTOCOL-TFTP root directory || cve,1999-0183
529 || NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy
handle attempt
530 || OS-WINDOWS NT NULL session || bugtraq,1163 || cve,2000-0347
534 || NETBIOS SMB CD..
535 || NETBIOS SMB CD...
540 || POLICY-SOCIAL Microsoft MSN message
541 || POLICY-SOCIAL ICQ access
542 || POLICY-SOCIAL IRC nick change
543 || INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site
544 || INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site
545 || INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site
546 || INDICATOR-COMPROMISE FTP 'CWD ' possible warez site
547 || INDICATOR-COMPROMISE FTP 'MKD ' possible warez site

548 || INDICATOR-COMPROMISE FTP 'MKD .' possible warez site
553 || POLICY-OTHER FTP anonymous login attempt
554 || INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site
555 || POLICY-OTHER WinGate telnet server response || cve,1999-0657
556 || PUA-P2P Outbound GNUTella client request
557 || PUA-P2P GNUTella client request
560 || APP-DETECT VNC server response
566 || APP-DETECT PCAnywhere server response
567 || SERVER-MAIL SMTP relaying denied || url,mail-abuse.org/tsi/arfix.html
568 || POLICY-OTHER HP JetDirect LCD modification attempt || bugtraq,2245
569 || PROTOCOL-RPC snmpXdmi overflow attempt TCP || bugtraq,2417 ||
cve,2001-0236 || nessus,10659 || url,www.cert.org/advisories/CA-200105.html
572 || PROTOCOL-RPC DOS ttdbserv Solaris || bugtraq,122 || cve,1999-0003
574 || PROTOCOL-RPC mountd TCP export request
575 || PROTOCOL-RPC portmap admind request UDP
576 || PROTOCOL-RPC portmap amountd request UDP || bugtraq,205 ||
bugtraq,235 || bugtraq,450 || bugtraq,614 || cve,1999-0088 || cve,19990210 || cve,1999-0493 || cve,1999-0704
577 || PROTOCOL-RPC portmap bootparam request UDP
578 || PROTOCOL-RPC portmap cmsd request UDP
579 || PROTOCOL-RPC portmap mountd request UDP
580 || PROTOCOL-RPC portmap nisd request UDP || cve,1999-0008
581 || PROTOCOL-RPC portmap pcnfsd request UDP || bugtraq,205 ||
bugtraq,4816 || cve,1999-0078 || cve,1999-0353 || cve,2002-0910
582 || PROTOCOL-RPC portmap rexd request UDP
583 || PROTOCOL-RPC portmap rstatd request UDP
584 || PROTOCOL-RPC portmap rusers request UDP || cve,1999-0626
585 || PROTOCOL-RPC portmap sadmind request UDP attempt
586 || PROTOCOL-RPC portmap selection_svc request UDP || bugtraq,8 ||
cve,1999-0209
587 || PROTOCOL-RPC portmap status request UDP
588 || PROTOCOL-RPC portmap ttdbserv request UDP || bugtraq,122 ||
bugtraq,3382 || cve,1999-0003 || cve,1999-0687 || cve,1999-1075 ||
cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
589 || PROTOCOL-RPC portmap yppasswd request UDP
590 || PROTOCOL-RPC portmap ypserv request UDP || bugtraq,5914 ||
591 || PROTOCOL-RPC portmap ypupdated request TCP || bugtraq,1749 ||
cve,1999-0208
593 || PROTOCOL-RPC portmap snmpXdmi request TCP || bugtraq,2417 ||
595 || PROTOCOL-RPC portmap espd request TCP || bugtraq,2714 || cve,20010331
598 || PROTOCOL-RPC portmap listing TCP 111
599 || PROTOCOL-RPC portmap listing TCP 32771
601 || PROTOCOL-SERVICES rlogin LinuxNIS
602 || PROTOCOL-SERVICES rlogin bin
603 || PROTOCOL-SERVICES rlogin echo++
604 || PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt
|| bugtraq,458 || cve,1999-0113 || url,osvdb.org/show/osvdb/1007
605 || PROTOCOL-SERVICES rlogin login failure

606 || PROTOCOL-SERVICES rlogin root
607 || PROTOCOL-SERVICES rsh bin
608 || PROTOCOL-SERVICES rsh echo + +
609 || PROTOCOL-SERVICES rsh froot
610 || PROTOCOL-SERVICES rsh root
611 || PROTOCOL-SERVICES rlogin login failure
612 || PROTOCOL-RPC rusers query UDP || cve,1999-0626
613 || INDICATOR-SCAN myscan
614 || MALWARE-BACKDOOR hack-a-tack attempt
616 || INDICATOR-SCAN ident version request
619 || INDICATOR-SCAN cybercop os probe
622 || INDICATOR-SCAN ipEye SYN scan
626 || INDICATOR-SCAN cybercop os PA12 attempt
627 || INDICATOR-SCAN cybercop os SFU12 probe
630 || INDICATOR-SCAN synscan portscan
631 || SERVER-MAIL ehlo cybercop attempt
632 || SERVER-MAIL expn cybercop attempt
634 || INDICATOR-SCAN Amanda client-version request
635 || INDICATOR-SCAN XTACACS logout
636 || INDICATOR-SCAN cybercop udp bomb
637 || INDICATOR-SCAN Webtrends Scanner UDP Probe ||
url,www.netiq.com/products/vsm/default.asp
638 || INDICATOR-SHELLCODE SGI NOOP
639 || INDICATOR-SHELLCODE SGI NOOP
640 || INDICATOR-SHELLCODE AIX NOOP
641 || INDICATOR-SHELLCODE Digital UNIX NOOP
642 || INDICATOR-SHELLCODE HP-UX NOOP
643 || INDICATOR-SHELLCODE HP-UX NOOP
644 || INDICATOR-SHELLCODE sparc NOOP
647 || INDICATOR-SHELLCODE Oracle sparc setuid 0
648 || INDICATOR-SHELLCODE x86 NOOP
649 || INDICATOR-SHELLCODE x86 setgid 0
650 || INDICATOR-SHELLCODE x86 setuid 0
652 || INDICATOR-SHELLCODE Linux shellcode
654 || SERVER-MAIL RCPT TO overflow || bugtraq,2283 || bugtraq,43182 ||
cve,2009-0410 || cve,2010-2580
655 || SERVER-MAIL Sendmail 8.6.9 exploit || bugtraq,2311 || cve,19990204
657 || SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt ||
bugtraq,2387 || cve,1999-0261
658 || SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS ||
bugtraq,1869 || cve,2000-1006 || nessus,10558 ||
url,technet.microsoft.com/en-us/security/bulletin/MS00-082
659 || SERVER-MAIL Sendmail expn decode || cve,1999-0096 || nessus,10248
660 || SERVER-MAIL expn root || nessus,10249
661 || SERVER-MAIL Majordomo ifs || bugtraq,2310 || cve,1999-0207
662 || SERVER-MAIL Sendmail 5.5.5 exploit || cve,1999-0203 ||
nessus,10258
663 || SERVER-MAIL Sendmail rcpt to command attempt || bugtraq,1 ||
cve,1999-0095
664 || SERVER-MAIL Sendmail RCPT TO decode attempt || bugtraq,2308 ||

cve,1999-0203
671 || SERVER-MAIL Sendmail 8.6.9c exploit || bugtraq,2311 || cve,19990204
672 || SERVER-MAIL vrfy decode || cve,1999-0096
673 || SQL sp_start_job - program execution
676 || SQL sp_start_job - program execution
677 || SQL sp_password password change
678 || SQL sp_delete_alert log file deletion
679 || SQL sp_adduser database user creation
681 || SQL xp_cmdshell program execution || bugtraq,5309
683 || SQL sp_password - password change
684 || SQL sp_delete_alert log file deletion
685 || SQL sp_adduser - database user creation
686 || SERVER-MSSQL xp_reg* - registry access || bugtraq,5205 ||
cve,2002-0642 || nessus,10642 || url,technet.microsoft.com/enus/security/bulletin/MS02-034
687 || SQL xp_cmdshell - program execution || bugtraq,5309
688 || SQL sa login failed || bugtraq,4797 || cve,2000-1209 ||
nessus,10673
689 || SERVER-MSSQL xp_reg* registry access || bugtraq,5205 || cve,20020642 || nessus,10642 || url,technet.microsoft.com/enus/security/bulletin/MS02-034
691 || INDICATOR-SHELLCODE shellcode attempt
695 || SERVER-MSSQL xp_sprintf possible buffer overflow || bugtraq,1204
|| url,technet.microsoft.com/en-us/security/bulletin/MS01-060
704 || SERVER-MSSQL xp_sprintf possible buffer overflow || bugtraq,1204
|| bugtraq,3733 || cve,2001-0542 || url,technet.microsoft.com/enus/security/bulletin/MS01-060
709 || PROTOCOL-TELNET 4Dgifts SGI account attempt || cve,1999-0501 ||
nessus,11243
710 || PROTOCOL-TELNET EZsetup account attempt || cve,1999-0501 ||
nessus,11244
711 || PROTOCOL-TELNET SGI telnetd format bug || bugtraq,1572 ||
cve,2000-0733
712 || PROTOCOL-TELNET ld_library_path || bugtraq,459 || cve,1999-0073
713 || PROTOCOL-TELNET livingston DOS || bugtraq,2225 || cve,1999-0218
714 || PROTOCOL-TELNET resolv_host_conf || bugtraq,2181 || cve,2001-0170
715 || PROTOCOL-TELNET Attempted SU from wrong group
717 || PROTOCOL-TELNET not on console
718 || PROTOCOL-TELNET login incorrect
719 || PROTOCOL-TELNET root login

803 || SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt ||
804 || SERVER-WEBAPP SWSoft ASPSeek Overflow attempt || bugtraq,2492 ||
cve,2001-0476
805 || SERVER-WEBAPP Progress webspeed access || bugtraq,969 || cve,20000127 || nessus,10304
806 || SERVER-WEBAPP yabb directory traversal attempt || bugtraq,1668 ||
cve,2000-0853 || nessus,10512
807 || SERVER-WEBAPP /wwwboard/passwd.txt access || bugtraq,649 ||
cve,1999-0953 || cve,1999-0954 || nessus,10321
808 || SERVER-WEBAPP webdriver access || bugtraq,2166 || nessus,10592
809 || SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt ||
810 || SERVER-WEBAPP whois_raw.cgi access || bugtraq,304 || cve,1999-1063
|| nessus,10306
811 || SERVER-WEBAPP websitepro path access || bugtraq,932 || cve,20000066 || nessus,10303
812 || SERVER-WEBAPP webplus version access || bugtraq,1102 || cve,20000282
813 || SERVER-WEBAPP webplus directory traversal || bugtraq,1102 ||
cve,2000-0282 || nessus,10367
815 || SERVER-WEBAPP websendmail access || bugtraq,2077 || cve,1999-0196
|| nessus,10301
817 || SERVER-WEBAPP dcboard.cgi invalid user addition attempt ||
818 || SERVER-WEBAPP dcforum.cgi access || bugtraq,2728 || cve,2001-0527
|| nessus,10583
819 || SERVER-WEBAPP mmstdod.cgi access || bugtraq,2063 || cve,2001-0021
|| nessus,10566
820 || SERVER-WEBAPP anaconda directory traversal attempt || bugtraq,2338
|| bugtraq,2388 || cve,2000-0975 || cve,2001-0308 || nessus,10536
821 || SERVER-WEBAPP imagemap.exe overflow attempt || bugtraq,739 ||
cve,1999-0951 || nessus,10122
823 || SERVER-WEBAPP cvsweb.cgi access || bugtraq,1469 || cve,2000-0670
|| nessus,10465
824 || SERVER-WEBAPP php.cgi access || bugtraq,2250 || bugtraq,712 ||
cve,1999-0058 || cve,1999-0238 || nessus,10178
825 || SERVER-WEBAPP glimpse access || bugtraq,2026 || cve,1999-0147 ||
nessus,10095
826 || SERVER-WEBAPP htmlscript access || bugtraq,2001 || cve,1999-0264
|| nessus,10106
827 || SERVER-WEBAPP info2www access || bugtraq,1995 || cve,1999-0266 ||
nessus,10127
828 || SERVER-WEBAPP maillist.pl access
829 || SERVER-WEBAPP nph-test-cgi access || bugtraq,686 || cve,1999-0045
|| nessus,10165
832 || SERVER-WEBAPP perl.exe access || cve,1999-0509 || nessus,10173 ||
833 || SERVER-WEBAPP rguest.exe access || bugtraq,2024 || cve,1999-0287
834 || SERVER-WEBAPP rwwwshell.pl access ||
url,www.itsecurity.com/papers/p37.htm
835 || SERVER-WEBAPP test-cgi access || bugtraq,2003 || cve,1999-0070 ||
nessus,10282
836 || SERVER-WEBAPP textcounter.pl access || bugtraq,2265 || cve,19991479 || nessus,11451

837 || SERVER-WEBAPP uploader.exe access || bugtraq,1611 || cve,1999-0177
|| cve,2000-0769 || nessus,10291
838 || SERVER-WEBAPP webgais access || bugtraq,2058 || cve,1999-0176 ||
nessus,10300
839 || SERVER-WEBAPP finger access || cve,1999-0612 || nessus,10071
840 || SERVER-WEBAPP perlshop.cgi access || cve,1999-1374
842 || SERVER-WEBAPP aglimpse access || bugtraq,2026 || cve,1999-0147 ||
nessus,10095
843 || SERVER-WEBAPP anform2 access || bugtraq,719 || cve,1999-0066
844 || SERVER-WEBAPP args.bat access || cve,1999-1180 || nessus,11465
845 || SERVER-WEBAPP AT-admin.cgi access || cve,1999-1072
846 || SERVER-WEBAPP bnbform.cgi access || bugtraq,2147 || cve,1999-0937
847 || SERVER-WEBAPP campas access || bugtraq,1975 || cve,1999-0146 ||
nessus,10035
848 || SERVER-WEBAPP view-source directory traversal || bugtraq,2251 ||
bugtraq,8883 || cve,1999-0174
849 || SERVER-WEBAPP view-source access || bugtraq,2251 || bugtraq,8883
|| cve,1999-0174
850 || SERVER-WEBAPP wais.pl access
851 || SERVER-WEBAPP files.pl access || cve,1999-1081
852 || SERVER-WEBAPP wguest.exe access || bugtraq,2024 || cve,1999-0287
|| cve,1999-0467
853 || SERVER-WEBAPP wrap access || bugtraq,373 || cve,1999-0149 ||
nessus,10317
854 || SERVER-WEBAPP classifieds.cgi access || bugtraq,2020 || cve,19990934
856 || SERVER-WEBAPP environ.cgi access
857 || SERVER-WEBAPP faxsurvey access || bugtraq,2056 || cve,1999-0262 ||
nessus,10067
858 || SERVER-WEBAPP filemail access || cve,1999-1154
859 || SERVER-WEBAPP man.sh access || bugtraq,2276 || cve,1999-1179
860 || SERVER-WEBAPP snork.bat access || bugtraq,2023 || cve,1999-0233
861 || SERVER-WEBAPP w3-msql access || bugtraq,591 || bugtraq,898 ||
cve,1999-0276 || cve,1999-0753 || cve,2000-0012 || nessus,10296
862 || SERVER-WEBAPP csh access || cve,1999-0509 ||
863 || SERVER-WEBAPP day5datacopier.cgi access || cve,1999-1232
864 || SERVER-WEBAPP day5datanotifier.cgi access || cve,1999-1232
865 || SERVER-WEBAPP ksh access || cve,1999-0509 ||
866 || SERVER-WEBAPP post-query access || bugtraq,6752 || cve,2001-0291
867 || SERVER-WEBAPP visadmin.exe access || bugtraq,1808 || cve,1999-0970
|| nessus,10295
868 || SERVER-WEBAPP rsh access || cve,1999-0509 ||
869 || SERVER-WEBAPP dumpenv.pl access || cve,1999-1178 || nessus,10060
870 || SERVER-WEBAPP snorkerz.cmd access
871 || SERVER-WEBAPP survey.cgi access || bugtraq,1817 || cve,1999-0936
872 || SERVER-WEBAPP tcsh access || cve,1999-0509 ||
875 || SERVER-WEBAPP win-c-sample.exe access || bugtraq,2078 || cve,19990178 || nessus,10008
877 || SERVER-WEBAPP rksh access || cve,1999-0509 ||

878 || SERVER-WEBAPP w3tvars.pm access
879 || SERVER-WEBAPP admin.pl access || bugtraq,3839 || cve,2002-1748 ||
url,online.securityfocus.com/archive/1/249355
880 || SERVER-WEBAPP LWGate access ||
url,www.netspace.org/~dwb/lwgate/lwgate-history.html ||
url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
881 || SERVER-WEBAPP archie access
882 || SERVER-WEBAPP calendar access
883 || SERVER-WEBAPP flexform access ||
url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm
885 || SERVER-WEBAPP bash access || cve,1999-0509 ||
886 || SERVER-WEBAPP phf access || bugtraq,629 || cve,1999-0067
887 || SERVER-WEBAPP www-sql access || url,marc.theaimsgroup.com/?
l=bugtraq&m=88704258804054&w=2
888 || SERVER-WEBAPP wwwadmin.pl access
889 || SERVER-WEBAPP ppdscgi.exe access || bugtraq,491 || nessus,10187 ||
url,online.securityfocus.com/archive/1/16878
890 || SERVER-WEBAPP sendform.cgi access || bugtraq,5286 || cve,2002-0710
|| url,www.scn.org/help/sendform.txt
891 || SERVER-WEBAPP upload.pl access
892 || SERVER-WEBAPP AnyForm2 access || bugtraq,719 || cve,1999-0066 ||
nessus,10277
894 || SERVER-WEBAPP bb-hist.sh access || bugtraq,142 || cve,1999-1462 ||
nessus,10025
895 || SERVER-WEBAPP redirect access || bugtraq,1179 || cve,2000-0382
896 || SERVER-WEBAPP way-board access || bugtraq,2370 || cve,2001-0214 ||
nessus,10610
897 || SERVER-WEBAPP pals-cgi access || bugtraq,2372 || cve,2001-0216 ||
cve,2001-0217 || nessus,10611
898 || SERVER-WEBAPP commerce.cgi access || bugtraq,2361 || cve,2001-0210
|| nessus,10612
899 || SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal
attempt || bugtraq,2504 || cve,2001-0272 || nessus,10614
900 || SERVER-WEBAPP webspirs.cgi directory traversal attempt ||
901 || SERVER-WEBAPP webspirs.cgi access || bugtraq,2362 || cve,2001-0211
|| nessus,10616
902 || SERVER-WEBAPP tstisapi.dll access || bugtraq,2381 || cve,2001-0302
903 || SERVER-OTHER Adobe Coldfusion cfcache.map access || bugtraq,917 ||
cve,2000-0057
904 || SERVER-OTHER Adobe Coldfusion exampleapp application.cfm ||
bugtraq,1021 || cve,2000-0189 || cve,2001-0535
905 || SERVER-OTHER Adobe Coldfusion application.cfm access ||
bugtraq,1021 || cve,2000-0189 || cve,2001-0535
906 || SERVER-OTHER Adobe Coldfusion getfile.cfm access || bugtraq,229 ||
cve,1999-0800 || cve,2001-0535
907 || SERVER-OTHER Adobe Coldfusion addcontent.cfm access || cve,20010535
908 || SERVER-OTHER Adobe Coldfusion administrator access || bugtraq,1314
|| cve,2000-0538 || nessus,10581
909 || SERVER-OTHER Adobe Coldfusion datasource username attempt ||

bugtraq,550 || cve,1999-0760
910 || SERVER-OTHER Adobe Coldfusion fileexists.cfm access || bugtraq,550
|| cve,1999-0760
911 || SERVER-OTHER Adobe Coldfusion exprcalc access || bugtraq,115 ||
bugtraq,550 || cve,1999-0455 || cve,1999-0760
912 || SERVER-OTHER Adobe Coldfusion parks access || bugtraq,550 ||
cve,1999-0760
913 || SERVER-OTHER Adobe Coldfusion cfappman access || bugtraq,550 ||
cve,1999-0760
914 || SERVER-OTHER Adobe Coldfusion beaninfo access || bugtraq,550 ||
cve,1999-0760
915 || SERVER-OTHER Adobe Coldfusion evaluate.cfm access || bugtraq,550
|| cve,1999-0760
916 || SERVER-OTHER Adobe Coldfusion getodbcdsn access || bugtraq,550 ||
cve,1999-0760
917 || SERVER-OTHER Adobe Coldfusion db connections flush attempt ||
bugtraq,550 || cve,1999-0760
918 || SERVER-OTHER Adobe Coldfusion expeval access || bugtraq,550 ||
cve,1999-0477 || cve,1999-0760
919 || SERVER-OTHER Adobe Coldfusion datasource passwordattempt ||
bugtraq,550 || cve,1999-0760
920 || SERVER-OTHER Adobe Coldfusion datasource attempt || bugtraq,550 ||
cve,1999-0760
921 || SERVER-OTHER Adobe Coldfusion admin encrypt attempt || bugtraq,550
|| cve,1999-0760
922 || SERVER-OTHER Adobe Coldfusion displayfile access || bugtraq,550 ||
cve,1999-0760
923 || SERVER-OTHER Adobe Coldfusion getodbcin attempt || bugtraq,550 ||
cve,1999-0760
924 || SERVER-OTHER Adobe Coldfusion admin decrypt attempt || bugtraq,550
|| cve,1999-0760
925 || SERVER-OTHER Adobe Coldfusion mainframeset access || bugtraq,550
|| cve,1999-0760
926 || SERVER-OTHER Adobe Coldfusion set odbc ini attempt || bugtraq,550
|| cve,1999-0760
927 || SERVER-OTHER Adobe Coldfusion settings refresh attempt ||
bugtraq,550 || cve,1999-0760
928 || SERVER-OTHER Adobe Coldfusion exampleapp access || cve,2001-0535
929 || SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access ||
bugtraq,550 || cve,1999-0760
930 || SERVER-OTHER Adobe Coldfusion snippets attempt || bugtraq,550 ||
cve,1999-0760
931 || SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access ||
bugtraq,550 || cve,1999-0760
932 || SERVER-OTHER Adobe Coldfusion application.cfm access ||
bugtraq,550 || cve,1999-0760 || cve,2000-0189
933 || SERVER-OTHER Adobe Coldfusion onrequestend.cfm access ||
bugtraq,550 || cve,1999-0760 || cve,2000-0189
935 || SERVER-OTHER Adobe Coldfusion startstop DOS access || bugtraq,247
|| cve,1999-0756
936 || SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access ||
bugtraq,550 || cve,1999-0760
937 || SERVER-OTHER Microsoft Frontpage _vti_rpc access || bugtraq,2144

|| cve,2001-0096 || nessus,10585
939 || SERVER-OTHER Microsoft Frontpage posting || bugtraq,2144 ||
940 || SERVER-OTHER Microsoft Frontpage shtml.dll access || bugtraq,1174
|| bugtraq,1594 || bugtraq,1595 || cve,2000-0413 || cve,2000-0746 ||
nessus,11395 || url,technet.microsoft.com/en-us/security/bulletin/ms00060
941 || SERVER-OTHER Microsoft Frontpage contents.htm access
942 || SERVER-OTHER Microsoft Frontpage orders.htm access
943 || SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access
944 || SERVER-OTHER Microsoft Frontpage fpremadm.exe access
945 || SERVER-OTHER Microsoft Frontpage fpadmin.htm access
946 || SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access
947 || SERVER-OTHER Microsoft Frontpage orders.txt access
948 || SERVER-OTHER Microsoft Frontpage form_results access || cve,19991052
949 || SERVER-OTHER Microsoft Frontpage registrations.htm access
950 || SERVER-OTHER Microsoft Frontpage cfgwiz.exe access
951 || SERVER-OTHER Microsoft Frontpage authors.pwd access || bugtraq,989
|| cve,1999-0386 || nessus,10078
952 || SERVER-OTHER Microsoft Frontpage author.exe access
953 || SERVER-OTHER Microsoft Frontpage administrators.pwd access ||
bugtraq,1205
954 || SERVER-OTHER Microsoft Frontpage form_results.htm access ||
cve,1999-1052
955 || SERVER-OTHER Microsoft Frontpage access.cnf access || bugtraq,4078
|| cve,2002-1717 || nessus,10575
956 || SERVER-OTHER Microsoft Frontpage register.txt access
957 || SERVER-OTHER Microsoft Frontpage registrations.txt access
958 || SERVER-OTHER Microsoft Frontpage service.cnf access ||
959 || SERVER-OTHER Microsoft Frontpage service.pwd || bugtraq,1205
960 || SERVER-OTHER Microsoft Frontpage service.stp access
961 || SERVER-OTHER Microsoft Frontpage services.cnf access ||
962 || SERVER-OTHER Microsoft Frontpage shtml.exe access || bugtraq,1174
cve,2002-0692 || nessus,10405 || nessus,11311
963 || SERVER-OTHER Microsoft Frontpage svcacl.cnf access || bugtraq,4078
|| cve,2002-1717 || nessus,10575
964 || SERVER-OTHER Microsoft Frontpage users.pwd access
965 || SERVER-OTHER Microsoft Frontpage writeto.cnf access ||
966 || SERVER-OTHER Microsoft Frontpage .... request || bugtraq,989 ||
cve,1999-0386 || cve,2000-0153 || nessus,10142
967 || SERVER-OTHER Microsoft Frontpage dvwssr.dll access || bugtraq,1108
|| bugtraq,1109 || cve,2000-0260 || nessus,10369 ||
968 || SERVER-OTHER Microsoft Frontpage register.htm access
969 || SERVER-IIS WebDAV file lock attempt || bugtraq,2736 ||
nessus,10732
971 || SERVER-IIS ISAPI .printer access || bugtraq,2674 || cve,2001-0241

|| nessus,10661 || url,technet.microsoft.com/enus/security/bulletin/MS01-023
973 || SERVER-IIS *.idc attempt || bugtraq,1448 || cve,1999-0874 ||
cve,2000-0661
974 || SERVER-IIS Microsoft Windows IIS directory traversal attempt ||
bugtraq,2218 || cve,1999-0229
975 || SERVER-IIS Alternate Data streams ASP file access attempt ||
url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806
976 || SERVER-WEBAPP .bat? access || bugtraq,2023 || bugtraq,4335 ||
cve,1999-0233 || cve,2002-0061 ||
url,support.microsoft.com/support/kb/articles/Q148/1/88.asp ||
url,support.microsoft.com/support/kb/articles/Q155/0/56.asp
977 || SERVER-IIS .cnf access || bugtraq,4078 || cve,2002-1717 ||
nessus,10575
978 || SERVER-IIS ASP contents view || bugtraq,1084 || cve,2000-0302 ||
nessus,10356 || url,technet.microsoft.com/en-us/security/bulletin/MS00006
979 || SERVER-IIS ASP contents view || bugtraq,1861 || cve,2000-0942 ||
980 || SERVER-IIS CGImail.exe access || bugtraq,1623 || cve,2000-0726 ||
nessus,11721
984 || SERVER-IIS JET VBA access || bugtraq,307 || cve,1999-0874 ||
nessus,10116
985 || SERVER-IIS JET VBA access || bugtraq,286 || cve,1999-0874
986 || SERVER-IIS MSProxy access || url,support.microsoft.com/?
kbid=331066
987 || FILE-IDENTIFY .htr access file download request || bugtraq,1488 ||
cve,2000-0630 || cve,2001-0004 || nessus,10680 ||
989 || MALWARE-CNC sensepost.exe command shell || nessus,11003
990 || SERVER-OTHER Microsoft Frontpage _vti_inf.html access ||
nessus,11455
991 || SERVER-IIS achg.htr access || bugtraq,2110 || cve,1999-0407
992 || SERVER-IIS adctest.asp access
993 || SERVER-IIS iisadmin access || bugtraq,189 || cve,1999-1538 ||
nessus,11032
994 || SERVER-IIS /scripts/iisadmin/default.htm access
995 || SERVER-IIS ism.dll access || bugtraq,189 || cve,1999-1538 ||
cve,2000-0630
996 || SERVER-IIS anot.htr access || bugtraq,2110 || cve,1999-0407
997 || SERVER-IIS asp-dot attempt || bugtraq,1814 || nessus,10363
998 || SERVER-IIS asp-srch attempt
999 || SERVER-IIS bdir access || bugtraq,2280
1000 || SERVER-IIS bdir.htr access || bugtraq,2280 || nessus,10577
1001 || SERVER-WEBAPP carbo.dll access || bugtraq,2126 || cve,1999-1069
1002 || SERVER-IIS cmd.exe access
1003 || SERVER-IIS cmd? access
1004 || SERVER-IIS codebrowser Exair access || cve,1999-0499 || cve,19990815
1005 || SERVER-IIS codebrowser SDK access || bugtraq,167 || cve,1999-0736
1007 || SERVER-IIS Form_JScript.asp access || bugtraq,1594 ||
bugtraq,1595 || cve,2000-0746 || cve,2000-1104 || nessus,10572 ||
url,technet.microsoft.com/en-us/security/bulletin/MS00-028 ||
1008 || SERVER-IIS del attempt
1009 || SERVER-IIS directory listing || nessus,10573
1010 || SERVER-IIS encoding access || bugtraq,886 || cve,2000-0024 ||
1011 || SERVER-IIS exec-src access
1012 || SERVER-IIS fpcount attempt || bugtraq,2252 || cve,1999-1376
1013 || SERVER-IIS fpcount access || bugtraq,2252 || cve,1999-1376
1015 || SERVER-IIS getdrvs.exe access
1016 || SERVER-IIS global.asa access || cve,2000-0778 || cve,2001-0004 ||
nessus,10491 || nessus,10991 || url,technet.microsoft.com/enus/security/bulletin/ms01-004
1017 || SERVER-IIS idc-srch attempt || cve,1999-0874
1018 || SERVER-IIS iisadmpwd attempt || bugtraq,2110 || cve,1999-0407 ||
nessus,10371
1019 || SERVER-IIS Malformed Hit-Highlighting Argument File Access
Attempt || bugtraq,950 || cve,2000-0097 || url,technet.microsoft.com/enus/security/bulletin/ms00-006 ||
url,www.securityfocus.com/archive/1/43762
1020 || SERVER-IIS isc$data attempt || bugtraq,307 || cve,1999-0874 ||
nessus,10116
1021 || SERVER-IIS ism.dll attempt || bugtraq,1193 || cve,2000-0457 ||
1022 || SERVER-IIS jet vba access || bugtraq,286 || cve,1999-0874 ||
1023 || SERVER-IIS msadcs.dll access || bugtraq,529 || cve,1999-1011 ||
nessus,10357 || url,technet.microsoft.com/en-us/security/bulletin/ms99025
1024 || SERVER-IIS newdsn.exe access || bugtraq,1818 || cve,1999-0191 ||
nessus,10360
1025 || SERVER-IIS perl access
1026 || SERVER-IIS perl-browse newline attempt || bugtraq,6833 ||
cve,2003-1365
1027 || SERVER-IIS perl-browse space attempt || bugtraq,6833 || cve,20031365
1028 || SERVER-IIS query.asp access || bugtraq,193 || cve,1999-0449
1029 || SERVER-IIS scripts-browse access || nessus,11032
1030 || SERVER-IIS search97.vts access || bugtraq,162
1031 || SERVER-IIS /SiteServer/Publishing/viewcode.asp access ||
nessus,10576
1032 || SERVER-IIS showcode access || cve,1999-0737 || nessus,10576 ||
1033 || SERVER-IIS viewcode access || cve,1999-0737 || nessus,10576 ||
1037 || SERVER-IIS showcode.asp access || bugtraq,167 || cve,1999-0736 ||

1038 || SERVER-IIS site server config access || bugtraq,256 || cve,19991520
1039 || SERVER-IIS srch.htm access
1040 || SERVER-IIS srchadm access || nessus,11032
1041 || SERVER-IIS uploadn.asp access || bugtraq,1811 || cve,1999-0360
1042 || SERVER-IIS view source via translate header || bugtraq,14764 ||
1043 || SERVER-IIS viewcode.asp access || cve,1999-0737 || nessus,10576
1044 || SERVER-IIS webhits access || bugtraq,950 || cve,2000-0097
1045 || SERVER-IIS Unauthorized IP Access Attempt
1046 || SERVER-IIS site/iisamples access || nessus,10370
1047 || SERVER-WEBAPP Netscape Enterprise DOS || bugtraq,2294 ||
cve,2001-0251
1048 || SERVER-WEBAPP Netscape Enterprise directory listing attempt ||
1050 || SERVER-WEBAPP iPlanet GETPROPERTIES attempt || bugtraq,2732 ||
cve,2001-0746
1051 || FILE-OTHER technote main.cgi file directory traversal attempt ||
1052 || SERVER-WEBAPP technote print.cgi directory traversal attempt ||
1053 || SERVER-WEBAPP ads.cgi command execution attempt || bugtraq,2103
|| cve,2001-0025 || nessus,11464
1054 || SERVER-WEBAPP weblogic/tomcat .jsp view source attempt ||
bugtraq,2527
1056 || SERVER-APACHE Apache Tomcat view source attempt || bugtraq,2527
|| cve,2001-0590
1057 || SQL ftp attempt
1058 || SQL xp_enumdsn attempt
1059 || SQL xp_filelist attempt
1060 || SQL xp_availablemedia attempt
1061 || SQL xp_cmdshell attempt || bugtraq,5309
1062 || SERVER-WEBAPP nc.exe attempt
1064 || SERVER-WEBAPP wsh attempt
1065 || SERVER-WEBAPP rcmd attempt
1066 || SERVER-WEBAPP telnet attempt
1067 || SERVER-WEBAPP net attempt
1068 || SERVER-WEBAPP tftp attempt
1069 || SQL xp_regread attempt
1070 || SERVER-WEBAPP WebDAV search access || bugtraq,1756 || cve,20000951
1071 || SERVER-WEBAPP .htpasswd access
1072 || SERVER-WEBAPP Lotus Domino directory traversal || bugtraq,2173 ||
cve,2001-0009 || nessus,12248
1073 || SERVER-WEBAPP webhits.exe access || bugtraq,950 || cve,2000-0097
1075 || SERVER-IIS postinfo.asp access || bugtraq,1811 || cve,1999-0360
1076 || SERVER-IIS repost.asp access || nessus,10372
1077 || SQL queryhit.htm access || nessus,10370
1078 || SQL counter.exe access || bugtraq,267 || cve,1999-1030
1079 || OS-WINDOWS Microsoft Windows WebDAV propfind access ||

1080 || SERVER-WEBAPP unify eWave ServletExec upload || bugtraq,1868 ||
bugtraq,1876 || cve,2000-1024 || cve,2000-1025 || nessus,10570
1081 || SERVER-WEBAPP Netscape Servers suite DOS || bugtraq,1868 ||
cve,2000-1025
1082 || SERVER-WEBAPP amazon 1-click cookie theft || bugtraq,1194 ||
cve,2000-0439
1083 || SERVER-WEBAPP unify eWave ServletExec DOS || bugtraq,1868 ||
cve,2000-1025
1084 || SERVER-WEBAPP Allaire JRUN DOS attempt || bugtraq,2337 ||
cve,2000-1049
1085 || SERVER-WEBAPP strings overflow || bugtraq,802
1086 || SERVER-WEBAPP strings overflow || bugtraq,1786 || cve,2000-0967
1088 || SERVER-WEBAPP eXtropia webstore directory traversal ||
1089 || SERVER-WEBAPP shopping cart directory traversal || bugtraq,1777
|| cve,2000-0921
1090 || SERVER-WEBAPP Allaire Pro Web Shell attempt
1091 || SERVER-WEBAPP ICQ Webfront HTTP DOS || bugtraq,1463 || cve,20001078
1092 || SERVER-WEBAPP Armada Style Master Index directory traversal ||
url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt
1093 || SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory
traversal || bugtraq,1762 || cve,2000-0906
1095 || SERVER-WEBAPP Talentsoft Web+ Source Code view access ||
bugtraq,1722 || url,archives.neohapsis.com/archives/ntbugtraq/2000q3/0168.html
1096 || SERVER-WEBAPP Talentsoft Web+ internal IP Address access ||
bugtraq,1720 || url,archives.neohapsis.com/archives/ntbugtraq/2000q3/0168.html
1097 || SERVER-WEBAPP Talentsoft Web+ exploit attempt || bugtraq,1725
1098 || SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access ||
bugtraq,1734 || cve,2000-0925
1099 || SERVER-WEBAPP cybercop scan
1100 || INDICATOR-SCAN L3retriever HTTP Probe
1101 || INDICATOR-SCAN Webtrends HTTP probe
1102 || SERVER-WEBAPP nessus 1.X 404 probe
1103 || SERVER-WEBAPP Netscape admin passwd || bugtraq,1579 ||
nessus,10468
1105 || SERVER-WEBAPP BigBrother access || bugtraq,1455 || cve,2000-0638
|| nessus,10460
1106 || SERVER-WEBAPP Poll-it access || bugtraq,1431 || cve,2000-0590 ||
nessus,10459
1107 || SERVER-WEBAPP ftp.pl access || bugtraq,1471 || cve,2000-0674 ||
nessus,10467
1108 || SERVER-APACHE Apache Tomcat server snoop access || bugtraq,1532
|| cve,2000-0760 || nessus,10478
1109 || SERVER-WEBAPP ROXEN directory list attempt || bugtraq,1510 ||
cve,2000-0671 || nessus,10479
1110 || SERVER-WEBAPP apache source.asp file access || bugtraq,1457 ||
cve,2000-0628 || nessus,10480
1111 || SERVER-APACHE Apache Tomcat server exploit access || bugtraq,1548

|| cve,2000-0672 || nessus,10477
1115 || SERVER-WEBAPP ICQ webserver DOS || cve,1999-0474 ||
url,www.securiteam.com/exploits/2ZUQ1QAQOG.html
1116 || SERVER-WEBAPP Lotus DelDoc attempt
1117 || SERVER-WEBAPP Lotus EditDoc attempt ||
url,www.securiteam.com/exploits/5NP080A1RE.html
1118 || SERVER-WEBAPP ls%20-l
1119 || SERVER-WEBAPP mlog.phtml access || bugtraq,713 || cve,1999-0068
|| cve,1999-0346
1120 || SERVER-WEBAPP mylog.phtml access || bugtraq,713 || cve,1999-0068
|| cve,1999-0346
1122 || SERVER-WEBAPP /etc/passwd file access attempt
1123 || SERVER-WEBAPP ?PageServices access || bugtraq,1063 ||
bugtraq,7621 || cve,1999-0269
1124 || SERVER-WEBAPP Ecommerce check.txt access
1125 || SERVER-WEBAPP webcart access || cve,1999-0610 || nessus,10298
1126 || SERVER-WEBAPP AuthChangeUrl access || bugtraq,2110 || cve,19990407
1127 || SERVER-WEBAPP convert.bas access || bugtraq,2025 || cve,1999-0175
1128 || SERVER-WEBAPP cpshost.dll access || bugtraq,1811 || bugtraq,4002
|| cve,1999-0360
1129 || SERVER-WEBAPP .htaccess access
1130 || SERVER-WEBAPP .wwwacl access
1131 || SERVER-WEBAPP .wwwacl access
1132 || SERVER-WEBAPP Netscape Unixware overflow || bugtraq,908 ||
cve,1999-0744
1133 || INDICATOR-SCAN cybercop os probe
1134 || SERVER-WEBAPP Phorum admin access || bugtraq,2271 || cve,20001228
1136 || SERVER-WEBAPP cd..
1137 || SERVER-WEBAPP Phorum authentication access || bugtraq,2274 ||
cve,2000-1230
1139 || SERVER-WEBAPP whisker HEAD/./ ||
url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
1140 || SERVER-WEBAPP guestbook.pl access || bugtraq,776 || cve,1999-0237
|| cve,1999-1053 || nessus,10099
1141 || SERVER-WEBAPP handler access || bugtraq,380 || cve,1999-0148 ||
nessus,10100
1142 || SERVER-WEBAPP /.... access
1145 || SERVER-WEBAPP root access
1146 || SERVER-WEBAPP Ecommerce import.txt access
1147 || SERVER-WEBAPP cat_ access || bugtraq,374 || cve,1999-0039
1148 || SERVER-WEBAPP Ecommerce import.txt access
1149 || SERVER-WEBAPP count.cgi access || bugtraq,128 || cve,1999-0021 ||
nessus,10049
1150 || SERVER-WEBAPP Domino catalog.nsf access || nessus,10629
1151 || SERVER-WEBAPP Domino domcfg.nsf access || nessus,10629
1152 || SERVER-WEBAPP Domino domlog.nsf access || nessus,10629
1153 || SERVER-WEBAPP Domino log.nsf access || nessus,10629
1154 || SERVER-WEBAPP Domino names.nsf access || nessus,10629
1155 || SERVER-WEBAPP Ecommerce checks.txt access || bugtraq,2281
1156 || SERVER-WEBAPP apache directory disclosure attempt || bugtraq,2503
|| cve,2001-0925
1157 || SERVER-WEBAPP Netscape PublishingXpert access || cve,2000-1196 ||

nessus,10364
1158 || SERVER-WEBAPP windmail.exe access || bugtraq,1073 || cve,20000242 || nessus,10365
1159 || SERVER-WEBAPP webplus access || bugtraq,1174 || bugtraq,1720 ||
bugtraq,1722 || bugtraq,1725 || cve,2000-1005
1160 || SERVER-WEBAPP Netscape dir index wp || bugtraq,1063 || cve,20000236 || nessus,10352
1161 || SERVER-WEBAPP piranha passwd.php3 access || bugtraq,1149 ||
cve,2000-0322
1162 || SERVER-WEBAPP cart 32 AdminPwd access || bugtraq,1153 ||
cve,2000-0429
1163 || SERVER-WEBAPP webdist.cgi access || bugtraq,374 || cve,1999-0039
|| nessus,10299
1164 || SERVER-WEBAPP shopping cart access || bugtraq,1983 ||
bugtraq,2049 || cve,1999-0607 || cve,2000-1188
1165 || SERVER-WEBAPP Novell Groupwise gwweb.exe access || bugtraq,879 ||
cve,1999-1005 || cve,1999-1006 || nessus,10877
1166 || SERVER-WEBAPP ws_ftp.ini access || bugtraq,547 || cve,1999-1078
1167 || SERVER-WEBAPP rpm_query access || bugtraq,1036 || cve,2000-0192
|| nessus,10340
1168 || SERVER-WEBAPP mall log order access || bugtraq,2266 || cve,19990606
1172 || SERVER-WEBAPP bigconf.cgi access || bugtraq,778 || cve,1999-1550
|| nessus,10027
1173 || SERVER-WEBAPP architext_query.pl access || bugtraq,2248 ||
cve,1999-0279 || nessus,10064 ||
url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt
1174 || SERVER-WEBAPP /cgi-bin/jj access || bugtraq,2002 || cve,1999-0260
|| nessus,10131
1175 || SERVER-WEBAPP wwwboard.pl access || bugtraq,1795 || bugtraq,649
|| cve,1999-0930 || cve,1999-0954
1177 || SERVER-WEBAPP Netscape Enterprise Server directory view ||
bugtraq,1063 || cve,2000-0236
1178 || SERVER-WEBAPP Phorum read access
1179 || SERVER-WEBAPP Phorum violation access || bugtraq,2272 ||
cve,2000-1234
1180 || SERVER-WEBAPP get32.exe access || bugtraq,1485 || bugtraq,770 ||
cve,1999-0885 || nessus,10011
1181 || SERVER-WEBAPP Annex Terminal DOS attempt || cve,1999-1070 ||
nessus,10017
bugtraq,1063 || cve,2000-0236
1185 || SERVER-WEBAPP bizdbsearch attempt || bugtraq,1104 || cve,20000287 || nessus,10383
bugtraq,1063 || cve,2000-0236
1187 || SERVER-WEBAPP SalesLogix Eviewer web command attempt ||
bugtraq,1078 || bugtraq,1089 || cve,2000-0278 || cve,2000-0289 ||
nessus,10361
bugtraq,1063 || cve,2000-0236

bugtraq,1063 || cve,2000-0236
bugtraq,1063 || cve,2000-0236
bugtraq,1063 || cve,2000-0236
1192 || SERVER-WEBAPP Trend Micro OfficeScan access || bugtraq,1057
1193 || SERVER-WEBAPP oracle web arbitrary command execution attempt ||
1194 || SERVER-WEBAPP sojourn.cgi File attempt || bugtraq,1052 ||
cve,2000-0180 || nessus,10349
1195 || SERVER-WEBAPP sojourn.cgi access || bugtraq,1052 || cve,2000-0180
|| nessus,10349
1196 || SERVER-WEBAPP SGI InfoSearch fname attempt || bugtraq,1031 ||
cve,2000-0207 || nessus,10128
1197 || SERVER-WEBAPP Phorum code access
bugtraq,1063 || cve,2000-0236
1199 || SERVER-WEBAPP Compaq Insight directory traversal || bugtraq,282
|| cve,1999-0771
1200 || INDICATOR-COMPROMISE Invalid URL || url,technet.microsoft.com/enus/security/bulletin/MS00-063
1201 || INDICATOR-COMPROMISE 403 Forbidden
1202 || SERVER-WEBAPP search.vts access || bugtraq,162
1204 || SERVER-WEBAPP ax-admin.cgi access
1205 || SERVER-WEBAPP axs.cgi access
1206 || SERVER-WEBAPP cachemgr.cgi access || bugtraq,2059 || cve,19990710 || nessus,10034
1207 || SERVER-WEBAPP htgrep access || cve,2000-0832 || nessus,10495
1208 || SERVER-WEBAPP responder.cgi access || bugtraq,3155
1209 || SERVER-WEBAPP .nsconfig access || url,osvdb.org/show/osvdb/5709
1211 || SERVER-WEBAPP web-map.cgi access
1212 || SERVER-WEBAPP Admin_files access
1213 || SERVER-WEBAPP backup access
1214 || SERVER-WEBAPP intranet access || nessus,11626
1215 || SERVER-WEBAPP ministats admin access
1216 || SERVER-WEBAPP filemail access || cve,1999-1154 || cve,1999-1155
|| url,www.securityfocus.com/archive/1/11175
1217 || SERVER-WEBAPP plusmail access || bugtraq,2653 || cve,2000-0074 ||
nessus,10181
1218 || SERVER-WEBAPP adminlogin access || bugtraq,1164 || bugtraq,1175
|| cve,2000-0332 || cve,2000-0426 || nessus,11748
1219 || SERVER-WEBAPP dfire.cgi access || bugtraq,564 || cve,1999-0913
1220 || SERVER-WEBAPP ultraboard access || bugtraq,1164 || bugtraq,1175
|| cve,2000-0332 || cve,2000-0426 || nessus,11748
1221 || SERVER-WEBAPP Muscat Empower cgi access || bugtraq,2374 ||
cve,2001-0224 || nessus,10609
1222 || SERVER-WEBAPP pals-cgi arbitrary file access attempt ||
1224 || SERVER-WEBAPP ROADS search.pl attempt || bugtraq,2371 ||
cve,2001-0215 || nessus,10627
1225 || X11 MIT Magic Cookie detected
1226 || X11 xopen
1229 || PROTOCOL-FTP CWD ... || bugtraq,9237
1230 || SERVER-WEBAPP VirusWall FtpSave access || bugtraq,2808 ||

cve,2001-0432 || nessus,10733
1231 || SERVER-WEBAPP VirusWall catinfo access || bugtraq,2579 ||
1232 || SERVER-WEBAPP VirusWall catinfo access || bugtraq,2579 ||
1234 || SERVER-WEBAPP VirusWall FtpSaveCSP access || bugtraq,2808 ||
cve,2001-0432 || nessus,10733
1235 || SERVER-WEBAPP VirusWall FtpSaveCVP access || bugtraq,2808 ||
cve,2001-0432 || nessus,10733
1239 || OS-WINDOWS RFParalyze Attempt || bugtraq,1163 || cve,2000-0347 ||
nessus,10392
1240 || SERVER-OTHER MDBMS overflow || bugtraq,1252 || cve,2000-0446 ||
nessus,10422
1241 || SERVER-WEBAPP SWEditServlet directory traversal attempt ||
bugtraq,2868 || cve,2001-0555
1242 || SERVER-IIS ISAPI .ida access || bugtraq,1065 || cve,2000-0071
1243 || SERVER-IIS ISAPI .ida attempt || bugtraq,1065 || cve,2000-0071 ||
cve,2001-0500
1244 || SERVER-IIS ISAPI .idq attempt || bugtraq,1065 || bugtraq,968 ||
1245 || SERVER-IIS ISAPI .idq access || bugtraq,1065 || cve,2000-0071
1248 || SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access ||
1249 || SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access ||
1250 || OS-OTHER Cisco IOS HTTP configuration attempt || bugtraq,2936 ||
cve,2001-0537 || nessus,10700
1252 || PROTOCOL-TELNET bsd telnet exploit response || bugtraq,3064 ||
cve,2001-0554 || nessus,10709
1253 || PROTOCOL-TELNET bsd exploit client finishing || bugtraq,3064 ||
cve,2001-0554 || nessus,10709
1254 || SERVER-WEBAPP PHPLIB remote command attempt || bugtraq,3079 ||
cve,2001-1370 || nessus,14910
1255 || SERVER-WEBAPP PHPLIB remote command attempt || bugtraq,3079 ||
cve,2001-1370
1256 || SERVER-IIS CodeRed v2 root.exe access ||
1257 || SERVER-OTHER Winnuke attack || bugtraq,2010 || cve,1999-0153
1259 || SERVER-WEBAPP SWEditServlet access || bugtraq,2868
1261 || SERVER-OTHER AIX pdnsd overflow || bugtraq,3237 || bugtraq,590 ||
cve,1999-0745
1262 || PROTOCOL-RPC portmap admind request TCP
1263 || PROTOCOL-RPC portmap amountd request TCP || bugtraq,205 ||
bugtraq,235 || bugtraq,450 || bugtraq,614 || cve,1999-0088 || cve,19990210 || cve,1999-0493 || cve,1999-0704
1264 || PROTOCOL-RPC portmap bootparam request TCP
1265 || PROTOCOL-RPC portmap cmsd request TCP
1267 || PROTOCOL-RPC portmap nisd request TCP
1268 || PROTOCOL-RPC portmap pcnfsd request TCP || bugtraq,205 ||
1269 || PROTOCOL-RPC portmap rexd request TCP
1270 || PROTOCOL-RPC portmap rstatd request TCP
1271 || PROTOCOL-RPC portmap rusers request TCP || cve,1999-0626

1272 || PROTOCOL-RPC portmap sadmind request TCP
1273 || PROTOCOL-RPC portmap selection_svc request TCP || bugtraq,205 ||
cve,1999-0209
1274 || PROTOCOL-RPC portmap ttdbserv request TCP || bugtraq,122 ||
cve,2001-0717 || url,www.cert.org/advisories/CA-2001-05.html
1275 || PROTOCOL-RPC portmap yppasswd request TCP
1276 || PROTOCOL-RPC portmap ypserv request TCP || bugtraq,5914 ||
1277 || PROTOCOL-RPC portmap ypupdated request UDP || bugtraq,1749 ||
bugtraq,28383 || cve,1999-0208
1279 || PROTOCOL-RPC portmap snmpXdmi request UDP || bugtraq,2417 ||
1280 || PROTOCOL-RPC portmap listing UDP 111
1281 || PROTOCOL-RPC portmap listing UDP 32771
1283 || SERVER-IIS Microsoft Office Outlook web dos || bugtraq,3223
1284 || SERVER-OTHER readme.eml download attempt ||
1285 || SERVER-IIS msdac access || nessus,11032
1286 || SERVER-IIS _mem_bin access || nessus,11032
1288 || SERVER-OTHER Microsoft Frontpage /_vti_bin/ access ||
nessus,11032
1289 || PROTOCOL-TFTP GET Admin.dll || url,www.cert.org/advisories/CA2001-26.html
1290 || FILE-OTHER readme.eml autoload attempt ||
1291 || SERVER-WEBAPP sml3com access || bugtraq,2721 || cve,2001-0740
1292 || INDICATOR-COMPROMISE directory listing
1295 || INDICATOR-COMPROMISE nimda RICHED20.DLL || url,www.fsecure.com/v-descs/nimda.shtml
1300 || SERVER-WEBAPP admin.php file upload attempt || bugtraq,3361 ||
cve,2001-1032
1301 || SERVER-WEBAPP admin.php access || bugtraq,3361 || bugtraq,7532 ||
bugtraq,9270 || cve,2001-1032
1302 || SERVER-WEBAPP console.exe access || bugtraq,3375 || cve,2001-1252
1303 || SERVER-WEBAPP cs.exe access || bugtraq,3375 || cve,2001-1252
1304 || SERVER-WEBAPP txt2html.cgi access
1305 || SERVER-WEBAPP txt2html.cgi directory traversal attempt
1307 || SERVER-WEBAPP store.cgi access || bugtraq,2385 || cve,2001-0305
|| nessus,10639
1308 || SERVER-WEBAPP sendmessage.cgi access || bugtraq,3673 || cve,20011100
1309 || SERVER-WEBAPP zsh access || cve,1999-0509 ||
1323 || SERVER-OTHER rwhoisd format string attempt || bugtraq,3474 ||
cve,2001-0838 || nessus,10790
1324 || INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh || bugtraq,2347 ||
cve,2001-0144 || cve,2001-0572
1325 || INDICATOR-SHELLCODE ssh CRC32 overflow filler || bugtraq,2347 ||
cve,2001-0144 || cve,2001-0572
1326 || INDICATOR-SHELLCODE ssh CRC32 overflow NOOP || bugtraq,2347 ||
cve,2001-0144 || cve,2001-0572
1327 || INDICATOR-SHELLCODE ssh CRC32 overflow || bugtraq,2347 ||

cve,2001-0144 || cve,2001-0572 || nessus,10607
1374 || SERVER-WEBAPP .htgroup access
1375 || SERVER-WEBAPP sadmind worm access ||
1376 || SERVER-WEBAPP jrun directory browse attempt || bugtraq,3592 ||
cve,2001-1510
1377 || PROTOCOL-FTP wu-ftp bad file completion attempt || bugtraq,3581
1378 || PROTOCOL-FTP wu-ftp bad file completion attempt || bugtraq,3581
1379 || PROTOCOL-FTP STAT overflow attempt || bugtraq,3507 ||
cve,2011-0762 || url,labs.defcom.com/adv/2001/def-2001-31.txt
1380 || SERVER-IIS Form_VBScript.asp access || bugtraq,1594 ||
1381 || SERVER-WEBAPP Trend Micro OfficeScan attempt || bugtraq,1057
1382 || SERVER-OTHER CHAT IRC Ettercap parse overflow attempt ||
url,www.bugtraq.org/dev/GOBBLES-12.txt
1384 || OS-WINDOWS Microsoft Windows UPnP malformed advertisement ||
1385 || SERVER-WEBAPP mod-plsql administration access || bugtraq,3726 ||
1386 || SERVER-MSSQL raiserror possible buffer overflow || bugtraq,3733
|| cve,2001-0542 || url,technet.microsoft.com/enus/security/bulletin/MS01-060
1387 || SQL raiserror possible buffer overflow || bugtraq,3733 ||
cve,2001-0542 || nessus,11217
1388 || OS-WINDOWS Microsoft Windows UPnP Location overflow attempt ||
1390 || INDICATOR-SHELLCODE x86 inc ebx NOOP
1392 || SERVER-WEBAPP lastlines.cgi access || bugtraq,3754 ||
bugtraq,3755 || cve,2001-1205 || cve,2001-1206
1393 || POLICY-SOCIAL AIM AddGame attempt || bugtraq,3769 || cve,20020005 || url,www.w00w00.org/files/w00aimexp/
1394 || INDICATOR-SHELLCODE x86 inc ecx NOOP
1395 || SERVER-WEBAPP zml.cgi attempt || bugtraq,3759 || cve,2001-1209 ||
nessus,10830
1396 || SERVER-WEBAPP zml.cgi access || bugtraq,3759 || cve,2001-1209 ||
nessus,10830
1397 || SERVER-WEBAPP wayboard attempt || bugtraq,2370 || cve,2001-0214
|| nessus,10610
1398 || SERVER-OTHER CDE dtspcd exploit attempt || bugtraq,3517 ||
1399 || SERVER-WEBAPP PHP-Nuke remote file include attempt ||
bugtraq,3889 || cve,2002-0206
1400 || SERVER-IIS /scripts/samples/ access || nessus,10370
1401 || SERVER-IIS /msadc/samples/ access || bugtraq,167 || cve,1999-0736
|| nessus,1007
1402 || SERVER-IIS iissamples access || nessus,11032
1405 || SERVER-WEBAPP AHG search.cgi access || bugtraq,3985 || cve,20022113

1406 || SERVER-WEBAPP agora.cgi access || bugtraq,3702 || bugtraq,3976 ||
cve,2001-1199 || cve,2002-0215 || nessus,10836
1407 || SERVER-WEBAPP smssend.php access || bugtraq,3982 || cve,2002-0220
1408 || SERVER-OTHER MSDTC attempt || bugtraq,4006 || cve,2002-0224 ||
nessus,10939
1409 || PROTOCOL-SNMP community string buffer overflow attempt ||
1410 || SERVER-WEBAPP dcboard.cgi access || bugtraq,2728 || cve,2001-0527
|| nessus,10583
1411 || PROTOCOL-SNMP public access udp || bugtraq,2112 || bugtraq,4088
|| bugtraq,4089 || cve,1999-0517 || cve,2002-0012 || cve,2002-0013
1412 || PROTOCOL-SNMP public access tcp || bugtraq,2112 || bugtraq,4088
cve,2002-0013
1413 || PROTOCOL-SNMP private access udp || bugtraq,4088 || bugtraq,4089
|| bugtraq,4132 || bugtraq,7212 || cve,2002-0012 || cve,2002-0013
1414 || PROTOCOL-SNMP private access tcp || bugtraq,4088 || bugtraq,4089
|| bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1415 || PROTOCOL-SNMP Broadcast request || bugtraq,4088 || bugtraq,4089
|| bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1416 || PROTOCOL-SNMP broadcast trap || bugtraq,4088 || bugtraq,4089 ||
bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1417 || PROTOCOL-SNMP request udp || bugtraq,4088 || bugtraq,4089 ||
bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1418 || PROTOCOL-SNMP request tcp || bugtraq,4088 || bugtraq,4089 ||
bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1419 || PROTOCOL-SNMP trap udp || bugtraq,4088 || bugtraq,4089 ||
bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1420 || PROTOCOL-SNMP trap tcp || bugtraq,4088 || bugtraq,4089 ||
bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1421 || PROTOCOL-SNMP AgentX/tcp request || bugtraq,4088 || bugtraq,4089
|| bugtraq,4132 || cve,2002-0012 || cve,2002-0013
1422 || PROTOCOL-SNMP community string buffer overflow attempt with
evasion || bugtraq,4088 || bugtraq,4089 || cve,2002-0012 || cve,2002-0013
|| url,www.cert.org/advisories/CA-2002-03.html
1423 || SERVER-WEBAPP content-disposition memchr overflow || bugtraq,4183
|| cve,2002-0081 || nessus,10867
1425 || SERVER-WEBAPP content-disposition file upload attempt ||
1426 || PROTOCOL-SNMP PROTOS test-suite-req-app attempt ||
url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
1427 || PROTOCOL-SNMP PROTOS test-suite-trap-app attempt ||
url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
1428 || POLICY-MULTIMEDIA audio galaxy keepalive
1432 || PUA-P2P GNUTella client request
1433 || SERVER-WEBAPP .history access
1434 || SERVER-WEBAPP .bash_history access || bugtraq,337 || cve,19990408
1435 || PROTOCOL-DNS named authors attempt || nessus,10728
1436 || POLICY-MULTIMEDIA Apple Quicktime User Agent access
1437 || FILE-IDENTIFY Microsoft Windows Media download detected
1439 || POLICY-MULTIMEDIA Shoutcast playlist redirection

1440 || POLICY-MULTIMEDIA Icecast playlist redirection
1441 || PROTOCOL-TFTP GET nc.exe
1442 || PROTOCOL-TFTP GET shadow
1443 || PROTOCOL-TFTP GET passwd
1444 || PROTOCOL-TFTP Get
1445 || INDICATOR-COMPROMISE FTP file_id.diz access possible warez site
1446 || SERVER-MAIL vrfy root
1447 || POLICY-OTHER Microsoft Windows Terminal server RDP attempt ||
1448 || POLICY-OTHER Microsoft Windows Terminal server request attempt ||
1450 || SERVER-MAIL Vintra Mailserver expn *@ || cve,1999-1200
1451 || SERVER-WEBAPP NPH-maillist access || bugtraq,2563 || cve,20010400 || nessus,10164
1452 || SERVER-WEBAPP args.cmd access || cve,1999-1180 || nessus,11465
1453 || SERVER-WEBAPP AT-generated.cgi access || cve,1999-1072
1454 || SERVER-WEBAPP wwwwais access || cve,2001-0223 || nessus,10597
1455 || SERVER-WEBAPP calendar.pl access || bugtraq,1215 || cve,2000-0432
1456 || SERVER-WEBAPP calender_admin.pl access || cve,2000-0432 ||
nessus,10506
1457 || SERVER-WEBAPP user_update_admin.pl access || bugtraq,1486 ||
cve,2000-0627
1458 || SERVER-WEBAPP user_update_passwd.pl access || bugtraq,1486 ||
cve,2000-0627
1459 || SERVER-WEBAPP bb-histlog.sh access || bugtraq,142 || cve,19991462 || nessus,10025
1460 || SERVER-WEBAPP bb-histsvc.sh access || bugtraq,142 || cve,19991462
1461 || SERVER-WEBAPP bb-rep.sh access || bugtraq,142 || cve,1999-1462
1462 || SERVER-WEBAPP bb-replog.sh access || bugtraq,142 || cve,1999-1462
1463 || POLICY-SOCIAL IRC message
1464 || INDICATOR-COMPROMISE oracle one hour install || nessus,10737
1465 || SERVER-WEBAPP auktion.cgi access || bugtraq,2367 || cve,2001-0212
|| nessus,10638
1466 || SERVER-WEBAPP cgiforum.pl access || bugtraq,1963 || cve,2000-1171
|| nessus,10552
1467 || SERVER-WEBAPP directorypro.cgi access || bugtraq,2793 ||
cve,2001-0780 || nessus,10679
1468 || SERVER-WEBAPP Web Shopper shopper.cgi attempt || bugtraq,1776 ||
cve,2000-0922 || nessus,10533
1469 || SERVER-WEBAPP Web Shopper shopper.cgi access || bugtraq,1776 ||
cve,2000-0922
1470 || SERVER-WEBAPP listrec.pl access || bugtraq,3328 || cve,2001-0997
|| nessus,10769
1471 || SERVER-WEBAPP mailnews.cgi access || bugtraq,2391 || cve,20010271 || nessus,10641
1472 || SERVER-WEBAPP book.cgi access || bugtraq,3178 || cve,2001-1114 ||
nessus,10721
1473 || SERVER-WEBAPP newsdesk.cgi access || bugtraq,2172 || cve,20010232 || nessus,10586

1474 || SERVER-WEBAPP cal_make.pl access || bugtraq,2663 || cve,2001-0463
|| nessus,10664
1475 || SERVER-WEBAPP mailit.pl access || nessus,10417
1476 || SERVER-WEBAPP sdbsearch.cgi access || bugtraq,1658 || cve,20011130 || nessus,10503 || nessus,10720
1478 || SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow
attempt || bugtraq,6581 || nessus,10493 || url,osvdb.org/show/osvdb/392
1479 || SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt ||
1480 || SERVER-WEBAPP ttawebtop.cgi access || bugtraq,2890 || cve,20010805 || nessus,10696
1481 || SERVER-WEBAPP upload.cgi access || nessus,10290
1482 || SERVER-WEBAPP view_source access || bugtraq,2251 || cve,1999-0174
|| nessus,10294
1483 || SERVER-WEBAPP ustorekeeper.pl access || cve,2001-0466 ||
nessus,10645
1485 || SERVER-IIS mkilog.exe access || nessus,10359 ||
url,osvdb.org/show/osvdb/274
1486 || SERVER-IIS ctss.idc access || nessus,10359
1487 || SERVER-IIS /iisadmpwd/aexp2.htr access || bugtraq,2110 ||
1488 || SERVER-WEBAPP store.cgi directory traversal attempt ||
1489 || SERVER-WEBAPP nobody access || nessus,10484
1490 || SERVER-WEBAPP Phorum /support/common.php attempt || bugtraq,1997
1491 || SERVER-WEBAPP Phorum /support/common.php access || bugtraq,1997
|| bugtraq,9361 || cve,2004-0034
1492 || SERVER-WEBAPP RBS ISP /newuser directory traversal attempt ||
1493 || SERVER-WEBAPP RBS ISP /newuser access || bugtraq,1704 ||
cve,2000-1036 || nessus,10521
1494 || SERVER-WEBAPP SIX webboard generate.cgi attempt || bugtraq,3175
|| cve,2001-1115 || nessus,10725
1495 || SERVER-WEBAPP SIX webboard generate.cgi access || bugtraq,3175 ||
cve,2001-1115 || nessus,10725
1496 || SERVER-WEBAPP spin_client.cgi access || nessus,10393
1499 || SERVER-WEBAPP SiteScope Service access || nessus,10778
1500 || SERVER-WEBAPP ExAir access || bugtraq,193 || cve,1999-0449 ||
nessus,10002 || nessus,10003 || nessus,10004
1501 || SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt ||
1502 || SERVER-WEBAPP a1stats a1disp3.cgi access || bugtraq,2705 ||
cve,2001-0561 || nessus,10669
1503 || SERVER-WEBAPP admentor admin.asp access || bugtraq,4152 ||
cve,2002-0308 || nessus,10880 ||
url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html
1504 || POLICY-OTHER AFS access || nessus,10441
1505 || SERVER-WEBAPP alchemy http server PRN arbitrary command execution
1506 || SERVER-WEBAPP alchemy http server NUL arbitrary command execution
1507 || SERVER-WEBAPP alibaba.pl arbitrary command execution attempt ||

1508 || SERVER-WEBAPP alibaba.pl access || bugtraq,770 || cve,1999-0885
|| nessus,10013
1509 || SERVER-WEBAPP AltaVista Intranet Search directory traversal
1510 || SERVER-WEBAPP test.bat arbitrary command execution attempt ||
1511 || SERVER-WEBAPP test.bat access || bugtraq,762 || cve,1999-0947 ||
nessus,10016
1512 || SERVER-WEBAPP input.bat arbitrary command execution attempt ||
1513 || SERVER-WEBAPP input.bat access || bugtraq,762 || cve,1999-0947 ||
nessus,10016
1514 || SERVER-WEBAPP input2.bat arbitrary command execution attempt ||
1515 || SERVER-WEBAPP input2.bat access || bugtraq,762 || cve,1999-0947
|| nessus,10016
1516 || SERVER-WEBAPP envout.bat arbitrary command execution attempt ||
1517 || SERVER-WEBAPP envout.bat access || bugtraq,762 || cve,1999-0947
|| nessus,10016
1518 || SERVER-WEBAPP nstelemetry.adp access || nessus,10753
1519 || SERVER-WEBAPP apache ?M=D directory list attempt || bugtraq,3009
|| cve,2001-0731 || nessus,10704
1520 || SERVER-WEBAPP server-info access ||
url,httpd.apache.org/docs/mod/mod_info.html
1521 || SERVER-WEBAPP server-status access ||
url,httpd.apache.org/docs/mod/mod_info.html
1522 || SERVER-WEBAPP ans.pl attempt || bugtraq,4147 || bugtraq,4149 ||
cve,2002-0306 || cve,2002-0307 || nessus,10875
1523 || SERVER-WEBAPP ans.pl access || bugtraq,4147 || bugtraq,4149 ||
cve,2002-0306 || cve,2002-0307 || nessus,10875
1524 || SERVER-WEBAPP Axis Storpoint CD attempt || bugtraq,1025 ||
cve,2000-0191 || nessus,10023
1525 || SERVER-WEBAPP Axis Storpoint CD access || bugtraq,1025 ||
cve,2000-0191 || nessus,10023
1526 || SERVER-WEBAPP basilix sendmail.inc access || bugtraq,2198 ||
cve,2001-1044 || nessus,10601
1527 || SERVER-WEBAPP basilix mysql.class access || bugtraq,2198 ||
cve,2001-1044 || nessus,10601
1528 || SERVER-WEBAPP BBoard access || bugtraq,1459 || cve,2000-0629 ||
nessus,10507
1529 || PROTOCOL-FTP SITE overflow attempt || cve,1999-0838 || cve,20010755 || cve,2001-0770
1531 || SERVER-WEBAPP bb-hist.sh attempt || bugtraq,142 || cve,1999-1462
|| nessus,10025
1532 || SERVER-WEBAPP bb-hostscv.sh attempt || bugtraq,1455 || cve,20000638 || nessus,10460
1533 || SERVER-WEBAPP bb-hostscv.sh access || bugtraq,1455 || cve,20000638 || nessus,10460
1534 || SERVER-WEBAPP agora.cgi attempt || bugtraq,3702 || bugtraq,3976
|| cve,2001-1199 || cve,2002-0215 || nessus,10836
1535 || SERVER-WEBAPP bizdbsearch access || bugtraq,1104 || cve,2000-0287

|| nessus,10383
1536 || SERVER-WEBAPP calendar_admin.pl arbitrary command execution
1537 || SERVER-WEBAPP calendar_admin.pl access || bugtraq,1215 ||
cve,2000-0432 || nessus,10506
1538 || PROTOCOL-NNTP AUTHINFO USER overflow attempt || bugtraq,1156 ||
cve,2000-0341 || nessus,10388
1539 || SERVER-WEBAPP /cgi-bin/ls access || bugtraq,936 || cve,2000-0079
|| nessus,10037
1540 || SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt || cve,19990760 || nessus,10797
1541 || PROTOCOL-FINGER version query
1542 || SERVER-WEBAPP cgimail access || bugtraq,1623 || cve,2000-0726 ||
nessus,11721
1543 || SERVER-WEBAPP cgiwrap access || bugtraq,1238 || bugtraq,3084 ||
nessus,10041
1544 || SERVER-WEBAPP Cisco Catalyst command execution attempt ||
1545 || SERVER-OTHER Cisco denial of service attempt
1546 || SERVER-WEBAPP Cisco HTTP double-percent DOS attempt ||
1547 || SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt ||
1548 || SERVER-WEBAPP csSearch.cgi access || bugtraq,4368 || cve,20020495 || nessus,10924
1549 || SERVER-MAIL HELO overflow attempt || bugtraq,7726 || bugtraq,895
|| cve,2000-0042 || nessus,10324 || nessus,11674
1550 || SERVER-MAIL ETRN overflow attempt || bugtraq,1297 || bugtraq,7515
|| cve,2000-0490 || nessus,10438
1551 || SERVER-WEBAPP /CVS/Entries access || nessus,10922 || nessus,11032
1552 || SERVER-WEBAPP cvsweb version access || cve,2000-0670 ||
nessus,10465
1554 || SERVER-WEBAPP dbman db.cgi access || bugtraq,1178 || cve,20000381 || nessus,10403
1555 || SERVER-WEBAPP DCShop access || bugtraq,2889 || cve,2001-0821
1556 || SERVER-WEBAPP DCShop orders.txt access || bugtraq,2889 ||
cve,2001-0821
1557 || SERVER-WEBAPP DCShop auth_user_file.txt access || bugtraq,2889 ||
cve,2001-0821
1558 || SERVER-WEBAPP Delegate whois overflow attempt || cve,2000-0165 ||
nessus,10054
1559 || SERVER-WEBAPP /doc/packages access || bugtraq,1707 || cve,20001016 || nessus,10518 || nessus,11032
1560 || SERVER-WEBAPP /doc/ access || bugtraq,318 || cve,1999-0678
1562 || PROTOCOL-FTP SITE CHOWN overflow attempt || bugtraq,2120 ||
cve,2001-0065 || nessus,10579
1563 || SERVER-WEBAPP login.htm attempt || bugtraq,665 || cve,1999-1533
1564 || SERVER-WEBAPP login.htm access || bugtraq,665 || cve,1999-1533
1565 || SERVER-WEBAPP eshop.pl arbitrary command execution attempt ||
bugtraq,3340 || cve,2001-1014
1566 || SERVER-WEBAPP eshop.pl access || bugtraq,3340 || cve,2001-1014
1567 || SERVER-IIS /exchange/root.asp attempt || bugtraq,3301 ||

cve,2001-0660 || nessus,10755 || nessus,10781 ||
1568 || SERVER-IIS /exchange/root.asp access || bugtraq,3301 || cve,20010660 || nessus,10755 || nessus,10781
1569 || SERVER-WEBAPP loadpage.cgi directory traversal attempt ||
1570 || SERVER-WEBAPP loadpage.cgi access || bugtraq,2109 || cve,20001092 || nessus,10065
1571 || SERVER-WEBAPP dcforum.cgi directory traversal attempt ||
1572 || SERVER-WEBAPP commerce.cgi arbitrary file access attempt ||
1573 || SERVER-WEBAPP cgiforum.pl attempt || bugtraq,1963 || cve,20001171 || nessus,10552
1574 || SERVER-WEBAPP directorypro.cgi attempt || bugtraq,2793 ||
cve,2001-0780 || nessus,10679
1575 || SERVER-WEBAPP Domino mab.nsf access || bugtraq,4022 || cve,20011567 || nessus,10953
1576 || SERVER-WEBAPP Domino cersvr.nsf access || nessus,10629
1577 || SERVER-WEBAPP Domino setup.nsf access || nessus,10629
1578 || SERVER-WEBAPP Domino statrep.nsf access || nessus,10629
1579 || SERVER-WEBAPP Domino webadmin.nsf access || bugtraq,9900 ||
nessus,10629
1580 || SERVER-WEBAPP Domino events4.nsf access || nessus,10629
1581 || SERVER-WEBAPP Domino ntsync4.nsf access || nessus,10629
1582 || SERVER-WEBAPP Domino collect4.nsf access || nessus,10629
1583 || SERVER-WEBAPP Domino mailw46.nsf access || nessus,10629
1584 || SERVER-WEBAPP Domino bookmark.nsf access || nessus,10629
1585 || SERVER-WEBAPP Domino agentrunner.nsf access || nessus,10629
1586 || SERVER-WEBAPP Domino mail.box access || bugtraq,881 || cve,20000021 || cve,2000-0022 || cve,2000-0023 || nessus,10629
1587 || SERVER-WEBAPP cgitest.exe access || bugtraq,1313 || bugtraq,3885
|| cve,2000-0521 || cve,2002-0128 || nessus,10040 || nessus,10623 ||
nessus,11131
1588 || SERVER-WEBAPP SalesLogix Eviewer access || bugtraq,1078 ||
bugtraq,1089 || cve,2000-0278 || cve,2000-0289
1589 || SERVER-WEBAPP musicat empower attempt || bugtraq,2374 ||
cve,2001-0224 || nessus,10609
1590 || SERVER-WEBAPP faqmanager.cgi arbitrary file access attempt ||
1591 || SERVER-WEBAPP faqmanager.cgi access || bugtraq,3810 || cve,20022033 || nessus,10837
1592 || SERVER-WEBAPP /fcgi-bin/echo.exe access || nessus,10838
1593 || SERVER-WEBAPP FormHandler.cgi external site redirection attempt
|| bugtraq,798 || bugtraq,799 || cve,1999-1050 || nessus,10075
1594 || SERVER-WEBAPP FormHandler.cgi access || bugtraq,798 ||
1595 || SERVER-IIS htimage.exe access || bugtraq,1117 || bugtraq,964 ||
cve,2000-0122 || cve,2000-0256 || nessus,10376
1597 || SERVER-WEBAPP guestbook.cgi access || cve,1999-0237 ||
nessus,10098
1598 || SERVER-WEBAPP Home Free search.cgi directory traversal attempt ||

1599 || SERVER-WEBAPP search.cgi access || bugtraq,921 || cve,2000-0054
1600 || SERVER-WEBAPP htsearch arbitrary configuration file attempt ||
bugtraq,3410 || cve,2001-0834
1601 || SERVER-WEBAPP htsearch arbitrary file read attempt ||
1602 || SERVER-WEBAPP htsearch access || bugtraq,1026 || cve,2000-0208 ||
nessus,10105
1603 || SERVER-WEBAPP DELETE attempt || nessus,10498
1604 || SERVER-WEBAPP iChat directory traversal attempt || cve,1999-0897
1605 || SERVER-OTHER iParty DOS attempt || bugtraq,6844 || cve,1999-1566
|| nessus,10111
1606 || SERVER-WEBAPP icat access || cve,1999-1069
1607 || SERVER-WEBAPP HyperSeek hsx.cgi access || bugtraq,2314 ||
cve,2001-0253 || nessus,10602
1608 || SERVER-WEBAPP htmlscript attempt || bugtraq,2001 || cve,1999-0264
|| nessus,10106
1610 || SERVER-WEBAPP formmail arbitrary command execution attempt ||
nessus,10076 || nessus,10782
1611 || SERVER-WEBAPP eXtropia webstore access || bugtraq,1774 ||
cve,2000-1005 || nessus,10532
1612 || SERVER-WEBAPP ftp.pl attempt || bugtraq,1471 || cve,2000-0674 ||
nessus,10467
1613 || SERVER-WEBAPP handler attempt || bugtraq,380 || cve,1999-0148 ||
nessus,10100
1614 || SERVER-WEBAPP Novell Groupwise gwweb.exe attempt || bugtraq,879
|| cve,1999-1005 || cve,1999-1006 || nessus,10877
1615 || SERVER-WEBAPP htgrep attempt || cve,2000-0832 || nessus,10495
1616 || PROTOCOL-DNS named version attempt || nessus,10028
1617 || SERVER-WEBAPP Bugzilla doeditvotes.cgi access || bugtraq,3800 ||
cve,2002-0011
1618 || SERVER-IIS .asp chunked Transfer-Encoding || bugtraq,4474 ||
1621 || PROTOCOL-FTP CMD overflow attempt
1622 || PROTOCOL-FTP RNFR ././ attempt || cve,1999-0081
1623 || PROTOCOL-FTP invalid MODE || url,www.faqs.org/rfcs/rfc959.html
1624 || PROTOCOL-FTP PWD overflow attempt
1625 || PROTOCOL-FTP SYST overflow attempt ||
url,www.faqs.org/rfcs/rfc959.html
1626 || SERVER-IIS /StoreCSVS/InstantOrder.asmx request
1628 || SERVER-WEBAPP FormHandler.cgi directory traversal attempt attempt
1631 || POLICY-SOCIAL AIM login
1634 || PROTOCOL-POP PASS overflow attempt || bugtraq,21645 ||
1635 || PROTOCOL-POP APOP overflow attempt || bugtraq,1652 || cve,20000840 || cve,2000-0841 || nessus,10559
1636 || SERVER-OTHER Xtramail Username overflow attempt || bugtraq,791 ||
cve,1999-1511 || nessus,10323
1637 || SERVER-WEBAPP yabb access || bugtraq,1668 || cve,2000-0853 ||
nessus,10512
1638 || INDICATOR-SCAN SSH Version map attempt
1639 || POLICY-SOCIAL IRC DCC file transfer request

1640 || POLICY-SOCIAL IRC DCC chat request
1641 || SERVER-OTHER DB2 dos attempt || bugtraq,3010 || cve,2001-1143 ||
nessus,10871
1642 || SERVER-WEBAPP document.d2w access || bugtraq,2017 || cve,20001110
1643 || SERVER-WEBAPP db2www access || cve,2000-0677
1644 || SERVER-WEBAPP test-cgi attempt || bugtraq,2003 || cve,1999-0070
|| nessus,10282
1645 || SERVER-WEBAPP testcgi access || bugtraq,7214 || cve,2003-1531 ||
nessus,11610
1646 || SERVER-WEBAPP test.cgi access
1648 || SERVER-WEBAPP perl.exe command attempt || cve,1999-0509 ||
nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html
1649 || SERVER-WEBAPP perl command attempt || cve,1999-0509 ||
nessus,10173 || url,www.cert.org/advisories/CA-1996-11.html
1650 || SERVER-WEBAPP tst.bat access || bugtraq,770 || cve,1999-0885 ||
nessus,10014
1651 || SERVER-WEBAPP environ.pl access
1652 || SERVER-WEBAPP campas attempt || bugtraq,1975 || cve,1999-0146 ||
nessus,10035
1654 || SERVER-WEBAPP cart32.exe access || bugtraq,1153 || nessus,10389
1655 || SERVER-WEBAPP pfdispaly.cgi arbitrary command execution attempt
|| cve,1999-0270 || nessus,10174
1656 || SERVER-WEBAPP pfdispaly.cgi access || bugtraq,64 || cve,1999-0270
|| nessus,10174
1657 || SERVER-WEBAPP pagelog.cgi directory traversal attempt ||
1658 || SERVER-WEBAPP pagelog.cgi access || bugtraq,1864 || cve,2000-0940
|| nessus,10591
1659 || SERVER-OTHER Adobe Coldfusion sendmail.cfm access || cve,19990760 || cve,2001-0535
1660 || SERVER-IIS trace.axd access || nessus,10993
1661 || SERVER-IIS cmd32.exe access
1662 || SERVER-WEBAPP /~ftp access
1663 || SERVER-WEBAPP *%20.pl access || nessus,11007 ||
url,rtfm.vn.ua/inet/sec/cgi-bugs.htm ||
url,www.securityfocus.com/archive/1/149482
1664 || SERVER-WEBAPP mkplog.exe access
1666 || INDICATOR-COMPROMISE index of /cgi-bin/ response || nessus,10039
1667 || SERVER-WEBAPP cross site scripting HTML Image tag set to
javascript attempt || bugtraq,4858 || cve,2002-0902
1668 || SERVER-WEBAPP /cgi-bin/ access
1669 || SERVER-WEBAPP /cgi-dos/ access
1670 || SERVER-WEBAPP /home/ftp access || nessus,11032
1671 || SERVER-WEBAPP /home/www access || nessus,11032
1672 || PROTOCOL-FTP CWD ~ attempt || bugtraq,2601 || bugtraq,9215 ||
cve,2001-0421
1673 || SERVER-ORACLE EXECUTE_SYSTEM attempt
1674 || SERVER-ORACLE connect_data remote version detection attempt
1675 || SERVER-ORACLE misparsed login response
1676 || SERVER-ORACLE select union attempt
1677 || SERVER-ORACLE select like '%' attempt
1678 || SERVER-ORACLE select like '%' attempt backslash escaped
1679 || SERVER-ORACLE describe attempt

1680 || SERVER-ORACLE all_constraints access
1681 || SERVER-ORACLE all_views access
1682 || SERVER-ORACLE all_source access
1683 || SERVER-ORACLE all_tables access
1684 || SERVER-ORACLE all_tab_columns access
1685 || SERVER-ORACLE all_tab_privs access
1686 || SERVER-ORACLE dba_tablespace access
1687 || SERVER-ORACLE dba_tables access
1688 || SERVER-ORACLE user_tablespace access
1689 || SERVER-ORACLE sys.all_users access
1690 || SERVER-ORACLE grant attempt
1691 || SERVER-ORACLE ALTER USER attempt
1692 || SERVER-ORACLE drop table attempt
1693 || SERVER-ORACLE create table attempt
1694 || SERVER-ORACLE alter table attempt
1695 || SERVER-ORACLE truncate table attempt
1696 || SERVER-ORACLE create database attempt
1697 || SERVER-ORACLE alter database attempt
1700 || SERVER-WEBAPP imagemap.exe access || bugtraq,739 || cve,1999-0951
|| nessus,10122
1701 || SERVER-WEBAPP calendar-admin.pl access || bugtraq,1215 ||
cve,2000-0432 || nessus,10506
1702 || SERVER-WEBAPP Amaya templates sendtemp.pl access || bugtraq,2504
|| cve,2001-0272
1703 || SERVER-WEBAPP auktion.cgi directory traversal attempt ||
1704 || SERVER-WEBAPP cal_make.pl directory traversal attempt ||
1705 || SERVER-WEBAPP echo.bat arbitrary command execution attempt ||
1706 || SERVER-WEBAPP echo.bat access || bugtraq,1002 || cve,2000-0213 ||
nessus,10246
1707 || SERVER-WEBAPP hello.bat arbitrary command execution attempt ||
1708 || SERVER-WEBAPP hello.bat access || bugtraq,1002 || cve,2000-0213
|| nessus,10246
1709 || SERVER-WEBAPP ad.cgi access || bugtraq,2103 || cve,2001-0025 ||
nessus,11464
1710 || SERVER-WEBAPP bbs_forum.cgi access || bugtraq,2177 || cve,20010123 || url,www.cgisecurity.com/advisory/3.1.txt
1711 || SERVER-WEBAPP bsguest.cgi access || bugtraq,2159 || cve,2001-0099
1712 || SERVER-WEBAPP bslist.cgi access || bugtraq,2160 || cve,2001-0100
1713 || SERVER-WEBAPP cgforum.cgi access || bugtraq,1951 || cve,2000-1132
1714 || SERVER-WEBAPP newdesk access
1715 || SERVER-WEBAPP register.cgi access || bugtraq,2157 || cve,20010076
1716 || SERVER-WEBAPP gbook.cgi access || bugtraq,1940 || cve,2000-1131
1717 || SERVER-WEBAPP simplestguest.cgi access || bugtraq,2106 ||
cve,2001-0022
1718 || SERVER-WEBAPP statsconfig.pl access || bugtraq,2211 || cve,20010113
1719 || SERVER-WEBAPP talkback.cgi directory traversal attempt ||
bugtraq,2547 || cve,2001-0420
1720 || SERVER-WEBAPP talkback.cgi access || bugtraq,2547 || cve,20010420

1721 || SERVER-WEBAPP adcycle access || bugtraq,3741 || cve,2001-1226
1722 || SERVER-WEBAPP MachineInfo access || cve,1999-1067
1723 || SERVER-WEBAPP emumail.cgi NULL attempt || bugtraq,5824 ||
cve,2002-1526
1724 || SERVER-WEBAPP emumail.cgi access || bugtraq,5824 || cve,2002-1526
1725 || SERVER-IIS +.htr code fragment attempt || bugtraq,1488 ||
cve,2000-0630 || cve,2001-0004 || nessus,10680 ||
1726 || SERVER-IIS doctodep.btr access
1727 || SERVER-WEBAPP SGI InfoSearch fname access || bugtraq,1031 ||
cve,2000-0207
1729 || POLICY-SOCIAL IRC channel join
1730 || SERVER-WEBAPP ustorekeeper.pl directory traversal attempt ||
1731 || SERVER-WEBAPP a1stats access || bugtraq,2705 || cve,2001-0561 ||
nessus,10669
1732 || PROTOCOL-RPC portmap rwalld request UDP || bugtraq,205 ||
cve,1999-0181
1733 || PROTOCOL-RPC portmap rwalld request TCP || bugtraq,205 ||
cve,1999-0181
1734 || PROTOCOL-FTP USER overflow attempt || bugtraq,10078 ||
bugtraq,10720 || bugtraq,1227 || bugtraq,1504 || bugtraq,15352 ||
bugtraq,49750 || bugtraq,7307 || bugtraq,8376 || cve,1999-1510 ||
cve,1999-1514 || cve,1999-1519 || cve,1999-1539 || cve,2000-0479 ||
cve,2000-0656 || cve,2000-0761 || cve,2000-0943 || cve,2000-1194 ||
cve,2001-0256 || cve,2001-0794 || cve,2001-0826 || cve,2002-0126 ||
cve,2002-1522 || cve,2003-0271 || cve,2004-0286 || cve,2004-0695 ||
cve,2005-3683
1735 || BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read
attempt || bugtraq,4628 || cve,2002-0354
1736 || SERVER-WEBAPP squirrel mail spell-check arbitrary command attempt
|| bugtraq,3952
1737 || SERVER-WEBAPP squirrel mail theme arbitrary command attempt ||
bugtraq,4385 || cve,2002-0516
1738 || SERVER-WEBAPP global.inc access || bugtraq,4612 || cve,2002-0614
1739 || SERVER-WEBAPP DNSTools administrator authentication bypass
1740 || SERVER-WEBAPP DNSTools authentication bypass attempt ||
bugtraq,4617 || cve,2002-0613
1741 || SERVER-WEBAPP DNSTools access || bugtraq,4617 || cve,2002-0613
1742 || SERVER-WEBAPP Blahz-DNS dostuff.php modify user attempt ||
bugtraq,4618 || cve,2002-0599
1743 || SERVER-WEBAPP Blahz-DNS dostuff.php access || bugtraq,4618 ||
cve,2002-0599
1744 || SERVER-WEBAPP SecureSite authentication bypass attempt ||
bugtraq,4621
1745 || SERVER-WEBAPP Messagerie supp_membre.php access || bugtraq,4635
1746 || PROTOCOL-RPC portmap cachefsd request UDP || bugtraq,4674 ||
cve,2002-0033 || cve,2002-0084 || nessus,10951
1747 || PROTOCOL-RPC portmap cachefsd request TCP || bugtraq,4674 ||

cve,2002-0033 || cve,2002-0084 || nessus,10951
1750 || SERVER-IIS users.xml access
1751 || SERVER-OTHER cachefsd buffer overflow attempt || bugtraq,4631 ||
cve,2002-0084 || nessus,10951
1752 || POLICY-SOCIAL AIM AddExternalApp attempt ||
url,www.w00w00.org/files/w00aimexp/
1753 || SERVER-IIS as_web.exe access || bugtraq,4670 || cve,2002-1727 ||
cve,2002-1728
1754 || SERVER-IIS as_web4.exe access || bugtraq,4670 || cve,2002-1727 ||
cve,2002-1728
1755 || PROTOCOL-IMAP partial body buffer overflow attempt ||
1756 || SERVER-IIS NewsPro administration authentication attempt ||
bugtraq,4672 || cve,2002-1734
1757 || SERVER-WEBAPP b2 arbitrary command execution attempt ||
1759 || SQL xp_cmdshell program execution 445 || bugtraq,5309
1762 || SERVER-WEBAPP phf arbitrary command execution attempt ||
bugtraq,629 || cve,1999-0067
1763 || SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt || bugtraq,938
|| cve,2000-0063 || cve,2000-0064 || nessus,10160
1764 || SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt || bugtraq,938
|| cve,2000-0063 || cve,2000-0064 || nessus,10160
1765 || SERVER-WEBAPP Nortel Contivity cgiproc access || bugtraq,938 ||
cve,2000-0063 || cve,2000-0064 || nessus,10160
1766 || SERVER-WEBAPP search.dll directory listing attempt ||
1767 || SERVER-WEBAPP search.dll access || bugtraq,1684 || cve,2000-0835
|| nessus,10514
1769 || SERVER-WEBAPP .DS_Store access ||
url,www.macintouch.com/mosxreaderreports46.html
1770 || SERVER-WEBAPP .FBCIndex access ||
url,www.securiteam.com/securitynews/5LP0O005FS.html
1771 || POLICY-OTHER IPSec PGPNet connection attempt
1772 || SERVER-IIS pbserver access || cve,2000-1089 ||
1773 || SERVER-WEBAPP php.exe access ||
url,www.securitytracker.com/alerts/2002/Jan/1003104.html
1774 || SERVER-WEBAPP bb_smilies.php access ||
url,www.securiteam.com/securitynews/Serious_security_hole_in_PHPNuke__bb_smilies_.html
1775 || SERVER-MYSQL root login attempt
1776 || SERVER-MYSQL show databases attempt
1777 || PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt || bugtraq,4482 ||
1778 || PROTOCOL-FTP EXPLOIT STAT ? dos attempt || bugtraq,4482 ||
1787 || SERVER-WEBAPP csPassword.cgi access || bugtraq,4885 ||
cve,2002-0918
1788 || SERVER-WEBAPP csPassword password.cgi.tmp access || bugtraq,4889

|| cve,2002-0920
1789 || POLICY-SOCIAL IRC dns request
1790 || POLICY-SOCIAL IRC dns response
1792 || PROTOCOL-NNTP return code buffer overflow attempt || bugtraq,4900
|| cve,2002-0909
1802 || SERVER-IIS .asa HTTP header buffer overflow attempt ||
1803 || SERVER-IIS .cer HTTP header buffer overflow attempt ||
1804 || SERVER-IIS .cdx HTTP header buffer overflow attempt ||
1805 || SERVER-WEBAPP Oracle Reports CGI access || bugtraq,4848 ||
cve,2002-0947
1806 || SERVER-IIS .htr chunked Transfer-Encoding || bugtraq,4855 ||
1807 || POLICY-OTHER Chunked-Encoding transfer attempt || bugtraq,4474 ||
cve,2002-0392 || nessus,10932
1808 || SERVER-WEBAPP apache chunked encoding memory corruption exploit
1809 || SERVER-APACHE Apache Chunked-Encoding worm attempt ||
cve,2002-0079 || cve,2002-0392 || nessus,10932
1810 || SERVER-OTHER successful gobbles ssh exploit GOBBLE ||
bugtraq,5093 || cve,2002-0390 || cve,2002-0640
1811 || SERVER-OTHER successful gobbles ssh exploit uname || bugtraq,5093
|| cve,2002-0390 || cve,2002-0640 || nessus,11031
1812 || SERVER-OTHER gobbles SSH exploit attempt || bugtraq,5093 ||
cve,2002-0639 || nessus,11031
1813 || PROTOCOL-ICMP digital island bandwidth query
1814 || SERVER-WEBAPP CISCO VoIP DOS ATTEMPT || bugtraq,4794 || cve,20020882 || nessus,11013
1815 || SERVER-WEBAPP directory.php arbitrary command attempt ||
1816 || SERVER-WEBAPP directory.php access || bugtraq,4278 || cve,20020434
1817 || SERVER-IIS MS Site Server default login attempt || nessus,11018
1818 || SERVER-IIS MS Site Server admin attempt || nessus,11018
1819 || SERVER-OTHER Alcatel PABX 4400 connection attempt || nessus,11019
1820 || SERVER-WEBAPP IBM Net.Commerce orderdspc.d2w access ||
1821 || SERVER-OTHER LPD dvips remote command execution attempt ||
1822 || SERVER-WEBAPP AlienForm alienform.cgi directory traversal attempt
|| bugtraq,4983 || cve,2002-0934 || nessus,11027
1823 || SERVER-WEBAPP AlienForm af.cgi directory traversal attempt ||
1824 || SERVER-WEBAPP AlienForm alienform.cgi access || bugtraq,4983 ||
cve,2002-0934 || nessus,11027
1825 || SERVER-WEBAPP AlienForm af.cgi access || bugtraq,4983 ||

cve,2002-0934 || nessus,11027
1826 || SERVER-WEBAPP WEB-INF access || bugtraq,1830 || bugtraq,5119 ||
cve,2000-1050 || cve,2001-0179 || nessus,11037
1827 || SERVER-APACHE Apache Tomcat servlet mapping cross site scripting
1828 || SERVER-WEBAPP iPlanet Search directory traversal attempt ||
1829 || SERVER-APACHE Apache Tomcat TroubleShooter servlet access ||
1830 || SERVER-APACHE Apache Tomcat SnoopServlet servlet access ||
1831 || SERVER-WEBAPP jigsaw dos attempt || bugtraq,5258 || cve,2002-1052
|| nessus,11047
1832 || POLICY-SOCIAL ICQ forced user addition || bugtraq,3226 ||
cve,2001-1305
1834 || SERVER-WEBAPP PHP-Wiki cross site scripting attempt ||
bugtraq,5254 || cve,2002-1070
1835 || SERVER-WEBAPP Macromedia SiteSpring cross site scripting attempt
|| bugtraq,5249 || cve,2002-1027
1838 || SERVER-OTHER SSH server banner overflow || bugtraq,5287 ||
cve,2002-1059 || nessus,15822
1839 || SERVER-WEBAPP mailman cross site scripting attempt ||
1840 || FILE-JAVA Oracle Javascript document.domain attempt ||
bugtraq,5346 || cve,2002-0815
1841 || BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access
attempt || bugtraq,5293 || cve,2002-2314 ||
1842 || PROTOCOL-IMAP login buffer overflow attempt || bugtraq,13727 ||
cve,2004-1011 || cve,2005-1255 || cve,2006-5961 || cve,2007-1373 ||
cve,2007-2795 || cve,2007-3925 || nessus,10123 || nessus,10125
1843 || MALWARE-BACKDOOR trinity connection attempt || cve,2000-0138 ||
nessus,10501
1844 || PROTOCOL-IMAP authenticate overflow attempt || bugtraq,12995 ||
1845 || PROTOCOL-IMAP list literal overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
1846 || POLICY-MULTIMEDIA vncviewer Java applet download attempt ||
nessus,10758
1847 || SERVER-WEBAPP webalizer access || bugtraq,3473 || cve,2001-0835
|| nessus,10816
1848 || SERVER-WEBAPP webcart-lite access || cve,1999-0610 ||
nessus,10298
1849 || SERVER-WEBAPP webfind.exe access || bugtraq,1487 || cve,2000-0622
|| nessus,10475
1850 || SERVER-WEBAPP way-board.cgi access || nessus,10610
1851 || SERVER-WEBAPP active.log access || bugtraq,1497 || cve,2000-0642
|| nessus,10470
1852 || SERVER-WEBAPP robots.txt access || nessus,10302
1853 || MALWARE-BACKDOOR win-trin00 connection attempt || cve,2000-0138
|| nessus,10307
1854 || PROTOCOL-ICMP Stacheldraht handler->agent niggahbitch ||

cve,2000-0138 ||
url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
1855 || PROTOCOL-ICMP Stacheldraht agent->handler skillz || cve,2000-0138
|| url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
1856 || PROTOCOL-ICMP Stacheldraht handler->agent ficken || cve,2000-0138
|| url,staff.washington.edu/dittrich/misc/stacheldraht.analysis
1857 || SERVER-WEBAPP robot.txt access || nessus,10302
1858 || SERVER-WEBAPP CISCO PIX Firewall Manager directory traversal
1859 || SERVER-WEBAPP Oracle JavaServer default password login attempt ||
nessus,10995
1860 || SERVER-WEBAPP Linksys router default password login attempt ||
nessus,10999
1861 || SERVER-WEBAPP Linksys router default username and password login
attempt || nessus,10999
1862 || SERVER-WEBAPP mrtg.cgi directory traversal attempt ||
1864 || PROTOCOL-FTP SITE NEWER attempt || cve,1999-0880 || nessus,10319
1865 || SERVER-WEBAPP webdist.cgi arbitrary command attempt ||
1866 || PROTOCOL-POP USER overflow attempt || bugtraq,11256 ||
cve,2006-2502 || cve,2006-4364 || nessus,10311 ||
url,www.delegate.org/mail-lists/delegate-en/1475
1867 || X11 xdmcp info query || nessus,10891
1868 || SERVER-WEBAPP Interactive Story story.pl arbitrary file read
1869 || SERVER-WEBAPP Interactive Story story.pl access || bugtraq,3028
|| cve,2001-0804 || nessus,10817
1870 || SERVER-WEBAPP siteUserMod.cgi access || bugtraq,951 || cve,20000117 || nessus,10253
1871 || SERVER-WEBAPP Oracle XSQLConfig.xml access || bugtraq,4290 ||
cve,2002-0568 || nessus,10855
1872 || SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access ||
nessus,10848
1873 || SERVER-WEBAPP globals.jsa access || bugtraq,4034 || cve,2002-0562
|| nessus,10850
1874 || SERVER-WEBAPP Oracle Java Process Manager access || nessus,10851
1875 || SERVER-WEBAPP cgicso access || bugtraq,6141 || cve,2002-1652 ||
1876 || SERVER-WEBAPP nph-publish.cgi access || cve,1999-1177 ||
nessus,10164
1877 || SERVER-WEBAPP printenv access || bugtraq,1658 || cve,2000-0868 ||
1878 || SERVER-WEBAPP sdbsearch.cgi access || bugtraq,1658 || cve,20000868 || nessus,10503
1879 || SERVER-WEBAPP book.cgi arbitrary command execution attempt ||
1880 || SERVER-WEBAPP oracle web application server access ||
1881 || SERVER-WEBAPP bad HTTP/1.1 request, Potentially worm attack ||
url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.ht
ml
1882 || INDICATOR-COMPROMISE id check returned userid

1887 || SERVER-OTHER OpenSSL Worm traffic ||
1888 || PROTOCOL-FTP SITE CPWD overflow attempt || bugtraq,5427 ||
cve,2002-0826
1889 || MALWARE-CNC slapper worm admin traffic ||
url,isc.incidents.org/analysis.html?id=167 ||
1890 || PROTOCOL-RPC status GHBN format string attack || bugtraq,1480 ||
cve,2000-0666 || nessus,10544
1891 || PROTOCOL-RPC status GHBN format string attack || bugtraq,1480 ||
cve,2000-0666 || nessus,10544
1892 || PROTOCOL-SNMP null community string attempt || bugtraq,2112 ||
bugtraq,8974 || cve,1999-0517
1893 || PROTOCOL-SNMP missing community string attempt || bugtraq,2112 ||
cve,1999-0517
1894 || INDICATOR-SHELLCODE kadmind buffer overflow attempt ||
nessus,15015 || url,www.kb.cert.org/vuls/id/875073
url,www.kb.cert.org/vuls/id/875073
1900 || SERVER-OTHER successful kadmind buffer overflow attempt ||
1901 || SERVER-OTHER successful kadmind buffer overflow attempt ||
1902 || PROTOCOL-IMAP lsub literal overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
1903 || PROTOCOL-IMAP rename overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
1904 || PROTOCOL-IMAP find overflow attempt || bugtraq,1110 || cve,20000284 || nessus,10374
1905 || PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt ||
bugtraq,614 || cve,1999-0704
1906 || PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt ||
bugtraq,614 || cve,1999-0704
1907 || PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt ||
bugtraq,36615 || bugtraq,524 || cve,1999-0696 || cve,2009-3699
1908 || PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt ||
bugtraq,524 || cve,1999-0696
1909 || PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt ||

bugtraq,524 || cve,1999-0696 || url,www.cert.org/advisories/CA-99-08cmsd.html
1910 || PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt ||
cve,1999-0696 || url,www.cert.org/advisories/CA-99-08-cmsd.html
1911 || PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN
overflow attempt || bugtraq,866 || cve,1999-0977
1912 || PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN
overflow attempt || bugtraq,0866 || bugtraq,866 || cve,1999-0977
1913 || PROTOCOL-RPC STATD UDP stat mon_name format string exploit
1914 || PROTOCOL-RPC STATD TCP stat mon_name format string exploit
1915 || PROTOCOL-RPC STATD UDP monitor mon_name format string exploit
1916 || PROTOCOL-RPC STATD TCP monitor mon_name format string exploit
1917 || INDICATOR-SCAN UPnP service discover attempt
1918 || PROTOCOL-ICMP SolarWinds IP scan attempt
1919 || PROTOCOL-FTP CWD overflow attempt || bugtraq,11069 ||
cve,2000-1035 || cve,2000-1194 || cve,2001-0781 || cve,2002-0126 ||
cve,2002-0405
1920 || PROTOCOL-FTP SITE NEWER overflow attempt || bugtraq,229 ||
cve,1999-0800
1921 || PROTOCOL-FTP SITE ZIPCHK overflow attempt || cve,2000-0040
1922 || PROTOCOL-RPC portmap proxy attempt TCP
1923 || PROTOCOL-RPC portmap proxy attempt UDP
1924 || PROTOCOL-RPC mountd UDP export request
1925 || PROTOCOL-RPC mountd TCP exportall request
1926 || PROTOCOL-RPC mountd UDP exportall request
1927 || PROTOCOL-FTP authorized_keys
1928 || PROTOCOL-FTP shadow retrieval attempt
1930 || PROTOCOL-IMAP auth literal overflow attempt || bugtraq,21724 ||
cve,1999-0005 || cve,2006-6424
1931 || SERVER-WEBAPP rpc-nlog.pl access || cve,1999-1278 ||
url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2 ||
url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2
1932 || SERVER-WEBAPP rpc-smb.pl access || cve,1999-1278
1933 || SERVER-WEBAPP cart.cgi access || bugtraq,1115 || cve,2000-0252 ||
nessus,10368
1936 || PROTOCOL-POP AUTH overflow attempt || bugtraq,830 || cve,19990822 || nessus,10184
1937 || PROTOCOL-POP LIST overflow attempt || bugtraq,948 || cve,20000096 || nessus,10197
1938 || PROTOCOL-POP XTND overflow attempt
1939 || SERVER-OTHER bootp hardware address length overflow || cve,19990798
1940 || SERVER-OTHER bootp invalid hardware type || cve,1999-0798
1941 || PROTOCOL-TFTP GET filename overflow attempt || bugtraq,20131 ||
cve,2006-4948 || cve,2007-1435 || cve,2009-2957 || cve,2009-2958 ||
nessus,18264
1942 || PROTOCOL-FTP RMDIR overflow attempt || bugtraq,819

1943 || SERVER-WEBAPP /Carello/add.exe access || bugtraq,1245 ||
cve,2000-0396 || nessus,11776
1944 || SERVER-WEBAPP /ecscripts/ecware.exe access || bugtraq,6066
1946 || SERVER-WEBAPP answerbook2 admin attempt || bugtraq,5383 ||
cve,2000-0696
1947 || SERVER-WEBAPP answerbook2 arbitrary command execution attempt ||
bugtraq,1556 || cve,2000-0697
1948 || PROTOCOL-DNS dns zone transfer via UDP detected || cve,1999-0532
|| nessus,10595
1949 || PROTOCOL-RPC portmap SET attempt TCP 111
1950 || PROTOCOL-RPC portmap SET attempt UDP 111
1951 || PROTOCOL-RPC mountd TCP mount request || cve,1999-0210
1952 || PROTOCOL-RPC mountd UDP mount request
1953 || PROTOCOL-RPC AMD TCP pid request
1954 || PROTOCOL-RPC AMD UDP pid request
1955 || PROTOCOL-RPC AMD TCP version request
1956 || PROTOCOL-RPC AMD UDP version request || bugtraq,1554 || cve,20000696
1957 || PROTOCOL-RPC sadmind UDP PING || bugtraq,866 || cve,1999-0977 ||
nessus,10229
1958 || PROTOCOL-RPC sadmind TCP PING || bugtraq,866 || cve,1999-0977 ||
nessus,10229
1959 || PROTOCOL-RPC portmap NFS request UDP
1960 || PROTOCOL-RPC portmap NFS request TCP
1961 || PROTOCOL-RPC portmap RQUOTA request UDP
1962 || PROTOCOL-RPC portmap RQUOTA request TCP
1963 || PROTOCOL-RPC RQUOTA getquota overflow attempt UDP || bugtraq,864
|| cve,1999-0974
1964 || PROTOCOL-RPC tooltalk UDP overflow attempt || bugtraq,122 ||
cve,1999-0003
1965 || PROTOCOL-RPC tooltalk TCP overflow attempt || bugtraq,122 ||
cve,1999-0003 || cve,2001-0717
1966 || SERVER-OTHER GlobalSunTech Access Point Information Disclosure
1967 || SERVER-WEBAPP phpbb quick-reply.php arbitrary command attempt ||
bugtraq,6173 || cve,2002-2287
1968 || SERVER-WEBAPP phpbb quick-reply.php access || bugtraq,6173 ||
cve,2002-2287
1969 || SERVER-WEBAPP ion-p access || bugtraq,6091 || cve,2002-1559 ||
nessus,11729
1970 || SERVER-IIS MDAC Content-Type overflow attempt || bugtraq,6214 ||
cve,2002-1142 || nessus,11161 || url,technet.microsoft.com/enus/security/bulletin/MS02-065 || url,technet.microsoft.com/enus/security/bulletin/MS98-004 || url,www.foundstone.com/knowledge/randdadvisories-display.html?id=337
1971 || PROTOCOL-FTP SITE EXEC format string attempt || bugtraq,1387 ||
bugtraq,1505 || cve,2000-0573
1972 || PROTOCOL-FTP PASS overflow attempt || bugtraq,10078 ||
cve,1999-1519 || cve,1999-1539 || cve,2000-1035 || cve,2002-0126 ||
cve,2002-0895 || cve,2005-3683 || cve,2006-6576
1973 || PROTOCOL-FTP MKD overflow attempt || bugtraq,11772 ||

cve,2009-3023 || cve,2010-0625 || nessus,12108 ||
1974 || PROTOCOL-FTP REST overflow attempt || bugtraq,2972 || cve,20010826 || nessus,11755
1975 || PROTOCOL-FTP DELE overflow attempt || bugtraq,15457 ||
cve,2005-3683 || cve,2010-4228 || nessus,11755
1976 || PROTOCOL-FTP RMD overflow attempt || bugtraq,15457 ||
cve,2001-1021 || cve,2005-3683 || cve,2010-0625
1977 || SERVER-WEBAPP xp_regwrite attempt
1978 || SERVER-WEBAPP xp_regdeletekey attempt
1979 || SERVER-WEBAPP perl post attempt || bugtraq,5520 || cve,2002-1436
|| nessus,11158
1980 || MALWARE-BACKDOOR DeepThroat 3.1 Connection || mcafee,98574 ||
nessus,10053
1981 || MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150
|| mcafee,98574 || nessus,10053
1982 || MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150 ||
mcafee,98574 || nessus,10053
1983 || MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120
|| mcafee,98574 || nessus,10053
1984 || MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120 ||
1985 || MALWARE-BACKDOOR Doly 1.5 server response
1986 || POLICY-SOCIAL Microsoft MSN outbound file transfer request
1987 || SERVER-OTHER xfs overflow attempt || bugtraq,6241 || cve,20021317 || nessus,11188
1988 || POLICY-SOCIAL Microsoft MSN outbound file transfer accept
1989 || POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
1990 || POLICY-SOCIAL Microsoft MSN user search
1991 || POLICY-SOCIAL Microsoft MSN login attempt
1992 || PROTOCOL-FTP LIST directory traversal attempt || bugtraq,2618 ||
cve,2001-0680 || cve,2002-1054 || nessus,11112
1993 || PROTOCOL-IMAP login literal buffer overflow attempt ||
cve,2002-1580 || cve,2005-1758 || cve,2006-6424 || cve,2007-0221 ||
nessus,12532
1994 || SERVER-WEBAPP vpasswd.cgi access || bugtraq,6038 || nessus,11165
1995 || SERVER-WEBAPP alya.cgi access || nessus,11118
1996 || SERVER-WEBAPP viralator.cgi access || bugtraq,3495 || cve,20010849 || nessus,11107
1997 || SERVER-WEBAPP read_body.php access attempt || bugtraq,6302 ||
cve,2002-1341 || nessus,11415
1998 || SERVER-WEBAPP calendar.php access || bugtraq,5820 || bugtraq,9353
|| cve,2002-1660 || cve,2004-1785 || nessus,11179
1999 || SERVER-WEBAPP edit_image.php access || bugtraq,3288 || cve,20011020 || nessus,11104
2000 || SERVER-WEBAPP readmsg.php access || cve,2001-1408 || nessus,11073
2001 || SERVER-WEBAPP smartsearch.cgi access || bugtraq,7133
2002 || SERVER-WEBAPP remote include path attempt ||

url,en.wikipedia.org/wiki/File_inclusion_vulnerability ||
url,php.net/manual/en/function.include.php
2003 || SQL Worm propagation attempt || bugtraq,5310 || bugtraq,5311 ||
cve,2002-0649 || nessus,11214 || url,vil.nai.com/vil/content/v_99992.htm
2004 || SQL Worm propagation attempt OUTBOUND || bugtraq,5310 ||
url,vil.nai.com/vil/content/v_99992.htm
2005 || PROTOCOL-RPC portmap kcms_server request UDP || bugtraq,6665 ||
cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785
2006 || PROTOCOL-RPC portmap kcms_server request TCP || bugtraq,6665 ||
2007 || PROTOCOL-RPC kcms_server directory traversal attempt ||
bugtraq,6665 || cve,2003-0027 || url,www.kb.cert.org/vuls/id/850785
2008 || INDICATOR-COMPROMISE CVS invalid user authentication response
2009 || INDICATOR-COMPROMISE CVS invalid repository response
2010 || INDICATOR-COMPROMISE CVS double free exploit attempt response ||
2011 || INDICATOR-COMPROMISE CVS invalid directory response ||
2012 || INDICATOR-COMPROMISE CVS missing cvsroot response
2013 || INDICATOR-COMPROMISE CVS invalid module response
2014 || PROTOCOL-RPC portmap UNSET attempt TCP 111 || bugtraq,1892
2015 || PROTOCOL-RPC portmap UNSET attempt UDP 111 || bugtraq,1892 ||
cve,2011-0321
2016 || PROTOCOL-RPC portmap status request TCP
2017 || PROTOCOL-RPC portmap espd request UDP || bugtraq,2714 ||
cve,2001-0331
2018 || PROTOCOL-RPC mountd TCP dump request
2019 || PROTOCOL-RPC mountd UDP dump request
2020 || PROTOCOL-RPC mountd TCP unmount request
2021 || PROTOCOL-RPC mountd UDP unmount request
2022 || PROTOCOL-RPC mountd TCP unmountall request
2023 || PROTOCOL-RPC mountd UDP unmountall request
2024 || PROTOCOL-RPC RQUOTA getquota overflow attempt TCP || bugtraq,864
|| cve,1999-0974
2025 || PROTOCOL-RPC yppasswd username overflow attempt UDP ||
2026 || PROTOCOL-RPC yppasswd username overflow attempt TCP ||
2027 || PROTOCOL-RPC yppasswd old password overflow attempt UDP ||
bugtraq,2763 || cve,2001-0779
2028 || PROTOCOL-RPC yppasswd old password overflow attempt TCP ||
bugtraq,2763 || cve,2001-0779
2029 || PROTOCOL-RPC yppasswd new password overflow attempt UDP ||
bugtraq,2763 || cve,2001-0779
2030 || PROTOCOL-RPC yppasswd new password overflow attempt TCP ||
bugtraq,2763 || cve,2001-0779
2031 || PROTOCOL-RPC yppasswd user update UDP || bugtraq,2763 ||
cve,2001-0779
2032 || PROTOCOL-RPC yppasswd user update TCP || bugtraq,2763 ||
cve,2001-0779
2033 || PROTOCOL-RPC ypserv maplist request UDP || bugtraq,5914 ||
2034 || PROTOCOL-RPC ypserv maplist request TCP || bugtraq,5914 ||

bugtraq,6016 || cve,2002-1232
2035 || PROTOCOL-RPC portmap network-status-monitor request UDP
2036 || PROTOCOL-RPC portmap network-status-monitor request TCP
2037 || PROTOCOL-RPC network-status-monitor mon-callback request UDP
2038 || PROTOCOL-RPC network-status-monitor mon-callback request TCP
2039 || SERVER-OTHER bootp hostname format string attempt || bugtraq,4701
|| cve,2002-0702 || nessus,11312
2040 || POLICY-OTHER xtacacs login attempt
2041 || INDICATOR-SCAN xtacacs failed login response
2042 || POLICY-OTHER xtacacs accepted login response
2043 || INDICATOR-SCAN isakmp login failed
2044 || POLICY-OTHER PPTP Start Control Request attempt
2045 || PROTOCOL-RPC snmpXdmi overflow attempt UDP || bugtraq,2417 ||
2046 || PROTOCOL-IMAP partial body.peek buffer overflow attempt ||
2047 || SERVER-OTHER rsyncd module list access
2049 || SQL ping attempt || nessus,10674
2050 || SERVER-MSSQL version overflow attempt || bugtraq,5310 ||
2051 || SERVER-WEBAPP cached_feed.cgi moreover shopping cart access ||
bugtraq,1762 || cve,2000-0906
2052 || SERVER-WEBAPP overflow.cgi access || bugtraq,6326 || cve,20021361 || nessus,11190 || url,www.cert.org/advisories/CA-2002-35.html
2053 || SERVER-WEBAPP Bugtraq process_bug.cgi access || bugtraq,3272 ||
cve,2002-0008
2054 || SERVER-WEBAPP Bugtraq enter_bug.cgi arbitrary command attempt ||
bugtraq,3272 || cve,2002-0008
2055 || SERVER-WEBAPP Bugtraq enter_bug.cgi access || bugtraq,3272 ||
cve,2002-0008
2056 || SERVER-WEBAPP TRACE attempt || bugtraq,9561 || cve,2003-1567 ||
cve,2004-2320 || cve,2010-0360 || nessus,11213
2057 || SERVER-WEBAPP helpout.exe access || bugtraq,6002 || cve,2002-1169
|| nessus,11162
2058 || SERVER-WEBAPP MsmMask.exe attempt || nessus,11163
2059 || SERVER-WEBAPP MsmMask.exe access || nessus,11163
2060 || SERVER-WEBAPP DB4Web access || nessus,11180
2061 || SERVER-APACHE Apache Tomcat null byte directory listing attempt
2062 || SERVER-WEBAPP iPlanet .perf access || nessus,11220
2063 || SERVER-WEBAPP Demarc SQL injection attempt || bugtraq,4520 ||
cve,2002-0539
2065 || SERVER-WEBAPP Lotus Notes .csp script source download attempt
2066 || SERVER-WEBAPP Lotus Notes .pl script source download attempt ||
bugtraq,6841 || cve,2003-1408
2067 || SERVER-WEBAPP Lotus Notes .exe script source download attempt ||
bugtraq,6841 || cve,2003-1408
2068 || SERVER-WEBAPP BitKeeper arbitrary command attempt || bugtraq,6588
2069 || SERVER-WEBAPP chip.ini access || bugtraq,2755 || bugtraq,2775 ||
cve,2001-0749 || cve,2001-0771
2070 || SERVER-WEBAPP post32.exe arbitrary command attempt ||

bugtraq,1485
2071 || SERVER-WEBAPP post32.exe access || bugtraq,1485
2072 || SERVER-WEBAPP lyris.pl access || bugtraq,1584 || cve,2000-0758
2073 || SERVER-WEBAPP globals.pl access || bugtraq,2671 || cve,2001-0330
2074 || SERVER-WEBAPP Mambo uploadimage.php upload php file attempt ||
2075 || SERVER-WEBAPP Mambo upload.php upload php file attempt ||
2076 || SERVER-WEBAPP Mambo uploadimage.php access || bugtraq,6572 ||
cve,2003-1204 || nessus,16315
2077 || SERVER-WEBAPP Mambo upload.php access || bugtraq,6572 ||
cve,2003-1204 || nessus,16315
2078 || SERVER-WEBAPP phpBB privmsg.php access || bugtraq,6634 ||
cve,2003-1530
2079 || PROTOCOL-RPC portmap nlockmgr request UDP || bugtraq,1372 ||
cve,2000-0508 || nessus,10220
2080 || PROTOCOL-RPC portmap nlockmgr request TCP || bugtraq,1372 ||
cve,2000-0508 || nessus,10220
2081 || PROTOCOL-RPC portmap rpc.xfsmd request UDP || bugtraq,5072 ||
bugtraq,5075 || cve,2002-0359
2082 || PROTOCOL-RPC portmap rpc.xfsmd request TCP || bugtraq,5072 ||
bugtraq,5075 || cve,2002-0359
2083 || PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP || bugtraq,5072 ||
bugtraq,5075 || cve,2002-0359
2084 || PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP || bugtraq,5072 ||
bugtraq,5075 || cve,2002-0359
2085 || SERVER-WEBAPP parse_xml.cgi access || bugtraq,6954 ||
cve,2003-0051 || cve,2003-0052 || cve,2003-0053 || cve,2003-0423
2086 || SERVER-WEBAPP streaming server parse_xml.cgi access ||
bugtraq,6954 || bugtraq,6955 || bugtraq,6956 || bugtraq,6958 || cve,20030050 || cve,2003-0051 || cve,2003-0052 || cve,2003-0053 || cve,2003-0423
2087 || SERVER-MAIL From comment overflow attempt || bugtraq,6991 ||
2088 || PROTOCOL-RPC ypupdated arbitrary command attempt UDP ||
2089 || PROTOCOL-RPC ypupdated arbitrary command attempt TCP ||
bugtraq,1749 || cve,1999-0208
2090 || SERVER-IIS WEBDAV exploit attempt || bugtraq,7116 || bugtraq,7716
|| cve,2003-0109 || nessus,11413 || url,technet.microsoft.com/enus/security/bulletin/ms03-007
2091 || SERVER-IIS WEBDAV nessus safe scan attempt || bugtraq,7116 ||
2092 || PROTOCOL-RPC portmap proxy integer overflow attempt UDP ||
bugtraq,36564 || bugtraq,7123 || cve,2003-0028 || nessus,11420
2093 || PROTOCOL-RPC portmap proxy integer overflow attempt TCP ||
2094 || PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt
nessus,11418
2095 || PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt
2100 || MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response ||

2101 || OS-WINDOWS SMB Trans Max Param/Count OS-WINDOWS attempt ||
url,www.corest.com/common/showdoc.php?idx=262
2103 || NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow
attempt || cve,2003-0201
2104 || INDICATOR-COMPROMISE rexec username too long response ||
bugtraq,7459 || cve,2003-1097
2105 || PROTOCOL-IMAP authenticate literal overflow attempt ||
2106 || PROTOCOL-IMAP lsub overflow attempt || bugtraq,1110 ||
2107 || PROTOCOL-IMAP create buffer overflow attempt || bugtraq,7446 ||
cve,2003-1470
2108 || PROTOCOL-POP CAPA overflow attempt
2109 || PROTOCOL-POP TOP overflow attempt
2110 || PROTOCOL-POP STAT overflow attempt
2111 || PROTOCOL-POP DELE overflow attempt
2112 || PROTOCOL-POP RSET overflow attempt
2113 || PROTOCOL-SERVICES rexec username overflow attempt
2114 || PROTOCOL-SERVICES rexec password overflow attempt
2115 || SERVER-WEBAPP album.pl access || bugtraq,7444 || cve,2003-1456 ||
nessus,11581
2116 || SERVER-WEBAPP chipcfg.cgi access || bugtraq,2767 || cve,2001-1341
|| url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html
2117 || SERVER-IIS Battleaxe Forum login.asp access || bugtraq,7416 ||
cve,2003-0215 || nessus,11548
2118 || PROTOCOL-IMAP list overflow attempt || bugtraq,1110 ||
2119 || PROTOCOL-IMAP rename literal overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
2120 || PROTOCOL-IMAP create literal buffer overflow attempt ||
bugtraq,7446 || cve,2003-1470
2121 || PROTOCOL-POP DELE negative argument attempt || bugtraq,6053 ||
2122 || PROTOCOL-POP UIDL negative argument attempt || bugtraq,6053 ||
cve,2002-1539 || nessus,11570
2123 || INDICATOR-COMPROMISE Microsoft cmd.exe banner || nessus,11633
2124 || MALWARE-BACKDOOR Remote PC Access connection || nessus,11673
2125 || PROTOCOL-FTP CWD Root directory traversal attempt || bugtraq,7674
|| cve,2003-0392 || nessus,11677
2126 || OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer
overflow attempt || bugtraq,5807 || cve,2002-1214 || nessus,11178 ||
2127 || SERVER-WEBAPP ikonboard.cgi access || bugtraq,7361 ||
nessus,11605
2128 || SERVER-WEBAPP swsrv.cgi access || bugtraq,7510 || cve,2003-0217
|| nessus,11608
2129 || SERVER-IIS nsiislog.dll access || bugtraq,8035 || cve,2003-0227
|| cve,2003-0349 || nessus,11664 || url,technet.microsoft.com/enus/security/bulletin/ms03-018
2130 || SERVER-IIS IISProtect siteadmin.asp access || bugtraq,7675 ||

cve,2003-0377 || nessus,11662
2131 || SERVER-IIS IISProtect access || nessus,11661
2132 || SERVER-IIS Synchrologic Email Accelerator userid list access
attempt || nessus,11657
2133 || SERVER-IIS MS BizTalk server access || bugtraq,7469 ||
2134 || SERVER-IIS register.asp access || nessus,11621
2135 || SERVER-WEBAPP philboard.mdb access || nessus,11682
2136 || SERVER-WEBAPP philboard_admin.asp authentication bypass attempt
|| bugtraq,7739 || nessus,11675
2137 || SERVER-WEBAPP philboard_admin.asp access || bugtraq,7739 ||
nessus,11675
2138 || SERVER-WEBAPP logicworks.ini access || bugtraq,6996 || cve,20031383 || nessus,11639
2139 || SERVER-WEBAPP /*.shtml access || bugtraq,1517 || cve,2000-0683 ||
nessus,11604
2140 || SERVER-WEBAPP p-news.php access || nessus,11669
2141 || SERVER-WEBAPP shoutbox.php directory traversal attempt ||
nessus,11668
2142 || SERVER-WEBAPP shoutbox.php access || nessus,11668
2143 || SERVER-WEBAPP b2 cafelog gm-2-b2.php remote file include attempt
|| nessus,11667
2144 || SERVER-WEBAPP b2 cafelog gm-2-b2.php access || nessus,11667
2145 || SERVER-WEBAPP TextPortal admin.php default password admin attempt
2146 || SERVER-WEBAPP TextPortal admin.php default password 12345 attempt
2147 || SERVER-WEBAPP BLNews objects.inc.php4 remote file include attempt
2148 || SERVER-WEBAPP BLNews objects.inc.php4 access || bugtraq,7677 ||
cve,2003-0394 || nessus,11647
2149 || SERVER-WEBAPP Turba status.php access || nessus,11646
2150 || SERVER-WEBAPP ttCMS header.php remote file include attempt ||
cve,2003-1459 || nessus,11636
2151 || SERVER-WEBAPP ttCMS header.php access || bugtraq,7542 ||
nessus,11636
2152 || SERVER-WEBAPP test.php access || nessus,11617
2153 || SERVER-WEBAPP autohtml.php directory traversal attempt ||
nessus,11630
2154 || SERVER-WEBAPP autohtml.php access || nessus,11630
2155 || SERVER-WEBAPP ttforum remote file include attempt || bugtraq,7542
2156 || SERVER-WEBAPP mod_gzip_status access || nessus,11685
2157 || SERVER-IIS IISProtect globaladmin.asp access || nessus,11661
2158 || SERVER-OTHER BGP invalid length || bugtraq,6213 || cve,2002-1350
|| nessus,14011 || nessus,15043 || url,sf.net/tracker/index.php?
func=detail&aid=744523&group_id=53066&atid=469575
2159 || SERVER-OTHER BGP invalid type 0 || bugtraq,6213 || cve,2002-1350
|| nessus,14011 || nessus,15043
2176 || OS-WINDOWS SMB startup folder access
2177 || OS-WINDOWS SMB startup folder unicode access

2178 || PROTOCOL-FTP USER format string attempt || bugtraq,7474 ||
bugtraq,9800 || cve,2004-0277 || nessus,10041 || nessus,11687
2179 || PROTOCOL-FTP PASS format string attempt || bugtraq,7474 ||
nessus,10490 || url,osvdb.org/show/osvdb/33813
2180 || PUA-P2P BitTorrent announce request
2181 || PUA-P2P BitTorrent transfer
2183 || SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt
|| cve,2003-0161 || url,www.cert.org/advisories/CA-2003-12.html
2184 || PROTOCOL-RPC mountd TCP mount path overflow attempt ||
2190 || NETBIOS DCERPC invalid bind attempt
2191 || NETBIOS SMB DCERPC invalid bind attempt
2194 || SERVER-WEBAPP CSMailto.cgi access || bugtraq,4579 || bugtraq,6265
|| cve,2002-0749 || nessus,11748
2195 || SERVER-WEBAPP alert.cgi access || bugtraq,4211 || bugtraq,4579 ||
cve,2002-0346 || nessus,11748
2196 || SERVER-WEBAPP catgy.cgi access || bugtraq,3714 || bugtraq,4579 ||
cve,2001-1212 || nessus,11748
2197 || SERVER-WEBAPP cvsview2.cgi access || bugtraq,4579 || bugtraq,5517
|| cve,2003-0153 || nessus,11748
2198 || SERVER-WEBAPP cvslog.cgi access || bugtraq,4579 || bugtraq,5517
|| cve,2003-0153 || nessus,11748
2199 || SERVER-WEBAPP multidiff.cgi access || bugtraq,4579 ||
2200 || SERVER-WEBAPP dnewsweb.cgi access || bugtraq,1172 || bugtraq,4579
|| cve,2000-0423 || nessus,11748
2201 || SERVER-WEBAPP Matt Wright download.cgi access || bugtraq,4579 ||
cve,1999-1377 || nessus,11748
2202 || SERVER-WEBAPP Webmin Directory edit_action.cgi access ||
2203 || SERVER-WEBAPP Leif M. Wright everythingform.cgi access ||
2204 || SERVER-WEBAPP EasyBoard 2000 ezadmin.cgi access || bugtraq,4068
2205 || SERVER-WEBAPP EasyBoard 2000 ezboard.cgi access || bugtraq,4068
2206 || SERVER-WEBAPP EasyBoard 2000 ezman.cgi access || bugtraq,4068 ||
2207 || SERVER-WEBAPP FileSeek fileseek.cgi access || bugtraq,4579 ||
2208 || SERVER-WEBAPP Faq-O-Matic fom.cgi access || bugtraq,4579 ||
cve,2002-0230 || nessus,11748
2209 || SERVER-WEBAPP Infonautics getdoc.cgi access || bugtraq,4579 ||
cve,2000-0288 || nessus,11748
2210 || SERVER-WEBAPP Multiple Vendors global.cgi access || bugtraq,4579
|| cve,2000-0952 || nessus,11748
2211 || SERVER-WEBAPP Lars Ellingsen guestserver.cgi access ||
2212 || SERVER-WEBAPP cgiCentral WebStore imageFolio.cgi access ||
2213 || SERVER-WEBAPP Oatmeal Studios Mail File mailfile.cgi access ||

2214 || SERVER-WEBAPP 3R Soft MailStudio 2000 mailview.cgi access ||
2215 || SERVER-WEBAPP Alabanza Control Panel nsManager.cgi access ||
2216 || SERVER-WEBAPP Ipswitch IMail readmail.cgi access || bugtraq,3427
2217 || SERVER-WEBAPP Ipswitch IMail printmail.cgi access || bugtraq,3427
2218 || SERVER-WEBAPP Oracle Cobalt RaQ service.cgi access ||
2219 || SERVER-WEBAPP Trend Micro Interscan VirusWall setpasswd.cgi
access || bugtraq,2212 || bugtraq,4579 || cve,2001-0133 || nessus,11748
2220 || SERVER-WEBAPP Leif M. Wright simplestmail.cgi access ||
2221 || SERVER-WEBAPP cgiCentral WebStore ws_mail.cgi access ||
2222 || SERVER-WEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi
access || bugtraq,7910 || bugtraq,7911 || bugtraq,7913 || cve,2003-0434
|| nessus,11740
2223 || SERVER-WEBAPP CGIScript.net csNews.cgi access || bugtraq,4994 ||
cve,2002-0923 || nessus,11726
2224 || SERVER-WEBAPP Psunami Bulletin Board psunami.cgi access ||
bugtraq,6607 || nessus,11750
2225 || SERVER-WEBAPP Linksys BEFSR41 gozila.cgi access || bugtraq,6086
|| cve,2002-1236 || nessus,11773
2226 || SERVER-WEBAPP pmachine remote file include attempt ||
2227 || SERVER-WEBAPP forum_details.php access || bugtraq,7933 ||
nessus,11760
2228 || SERVER-WEBAPP phpMyAdmin db_details_importdocsql.php access ||
bugtraq,7962 || bugtraq,7965 || nessus,11761
2229 || SERVER-WEBAPP viewtopic.php access || bugtraq,7979 || cve,20030486 || nessus,11767
2230 || SERVER-WEBAPP NetGear router default password login attempt
admin/password || nessus,11737
2231 || SERVER-WEBAPP register.dll access || bugtraq,3327 || cve,20010958 || nessus,11747
2232 || SERVER-WEBAPP ContentFilter.dll access || bugtraq,3327 ||
cve,2001-0958 || nessus,11747
2233 || SERVER-WEBAPP SFNofitication.dll access || bugtraq,3327 ||
cve,2001-0958 || nessus,11747
2234 || SERVER-WEBAPP TOP10.dll access || bugtraq,3327 || cve,2001-0958
|| nessus,11747
2235 || SERVER-WEBAPP SpamExcp.dll access || bugtraq,3327 || cve,20010958 || nessus,11747
2236 || SERVER-WEBAPP spamrule.dll access || bugtraq,3327 || cve,20010958 || nessus,11747
2237 || SERVER-WEBAPP cgiWebupdate.exe access || bugtraq,3216 ||
cve,2001-1150 || nessus,11722
2238 || SERVER-WEBAPP WebLogic ConsoleHelp view source attempt ||
2239 || SERVER-WEBAPP redirect.exe access || bugtraq,1256 || cve,20000401 || nessus,11723

2240 || SERVER-WEBAPP changepw.exe access || bugtraq,1256 || cve,20000401 || nessus,11723
2241 || SERVER-WEBAPP cwmail.exe access || bugtraq,4093 || cve,2002-0273
|| nessus,11727
2242 || SERVER-WEBAPP ddicgi.exe access || bugtraq,1657 || cve,2000-0826
|| nessus,11728
2243 || SERVER-WEBAPP ndcgi.exe access || bugtraq,3583 || cve,2001-0922
|| nessus,11730
2244 || SERVER-WEBAPP VsSetCookie.exe access || bugtraq,3784 || cve,20020236 || nessus,11731
2245 || SERVER-WEBAPP Webnews.exe access || bugtraq,4124 || cve,2002-0290
|| nessus,11732
2246 || SERVER-WEBAPP webadmin.dll access || bugtraq,7438 || bugtraq,7439
2247 || SERVER-IIS UploadScript11.asp access || bugtraq,3608 || cve,20010938 || nessus,11746
2248 || SERVER-IIS DirectoryListing.asp access || cve,2001-0938
2249 || SERVER-IIS /pcadmin/login.asp access || bugtraq,8103 ||
nessus,11785
2250 || PROTOCOL-POP USER format string attempt || bugtraq,10976 ||
2252 || OS-WINDOWS SMB-DS DCERPC Remote Activation bind attempt ||
2253 || SERVER-MAIL XEXCH50 overflow attempt || bugtraq,8838 || cve,20030714 || nessus,11889 || url,technet.microsoft.com/enus/security/bulletin/MS03-046
2255 || PROTOCOL-RPC sadmind query with root credentials attempt TCP
2256 || PROTOCOL-RPC sadmind query with root credentials attempt UDP
2257 || OS-WINDOWS DCERPC Messenger Service buffer overflow attempt ||
bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890 ||
2258 || OS-WINDOWS SMB-DS DCERPC Messenger Service buffer overflow
attempt || bugtraq,8826 || cve,2003-0717 || nessus,11888 || nessus,11890
|| url,technet.microsoft.com/en-us/security/bulletin/MS03-043
2259 || SERVER-MAIL EXPN overflow attempt || bugtraq,6991 || bugtraq,7230
|| cve,2002-1337 || cve,2003-0161
2260 || SERVER-MAIL VRFY overflow attempt || bugtraq,6991 || bugtraq,7230
|| cve,2002-1337 || cve,2003-0161
2261 || SERVER-MAIL Sendmail SEND FROM prescan too many addresses
overflow || bugtraq,6991 || cve,2002-1337 || nessus,11316
2262 || SERVER-MAIL Sendmail SEND FROM prescan too long addresses
2263 || SERVER-MAIL Sendmail SAML FROM prescan too many addresses
overflow || bugtraq,6991 || cve,2002-1337
2264 || SERVER-MAIL Sendmail SAML FROM prescan too long addresses
2265 || SERVER-MAIL Sendmail SOML FROM prescan too many addresses
2266 || SERVER-MAIL Sendmail SOML FROM prescan too long addresses
2267 || SERVER-MAIL Sendmail MAIL FROM prescan too many addresses

2268 || SERVER-MAIL Sendmail MAIL FROM prescan too long addresses
2269 || SERVER-MAIL Sendmail RCPT TO prescan too many addresses overflow
|| bugtraq,6991 || cve,2002-1337
2270 || SERVER-MAIL Sendmail RCPT TO prescan too long addresses overflow
2271 || MALWARE-BACKDOOR FsSniffer connection attempt || nessus,11854
2272 || PROTOCOL-FTP LIST integer overflow attempt || bugtraq,8875 ||
cve,2003-0853 || cve,2003-0854 || nessus,11912
2273 || PROTOCOL-IMAP login brute force attempt
2274 || PROTOCOL-POP login brute force attempt
2275 || SERVER-MAIL AUTH LOGON brute force attempt
2276 || SERVER-WEBAPP oracle portal demo access || nessus,11918
2277 || SERVER-WEBAPP PeopleSoft PeopleBooks psdoccgi access ||
bugtraq,9037 || bugtraq,9038 || cve,2003-0626 || cve,2003-0627
2278 || SERVER-WEBAPP client negative Content-Length attempt ||
cve,2006-3655
2279 || SERVER-WEBAPP UpdateClasses.php access || bugtraq,9057
2280 || SERVER-WEBAPP Title.php access || bugtraq,9057
2281 || SERVER-WEBAPP Setup.php access || bugtraq,9057 || cve,2009-1151
2282 || SERVER-WEBAPP GlobalFunctions.php access || bugtraq,9057
2283 || SERVER-WEBAPP DatabaseFunctions.php access || bugtraq,9057
2284 || SERVER-WEBAPP rolis guestbook remote file include attempt ||
bugtraq,9057
2285 || SERVER-WEBAPP rolis guestbook access || bugtraq,9057
2286 || SERVER-WEBAPP friends.php access || bugtraq,9088
2287 || SERVER-WEBAPP Advanced Poll admin_comment.php access ||
cve,2003-1181 || nessus,11487
2288 || SERVER-WEBAPP Advanced Poll admin_edit.php access || bugtraq,8890
|| cve,2003-1178 || cve,2003-1179 || cve,2003-1180 || cve,2003-1181 ||
nessus,11487
2289 || SERVER-WEBAPP Advanced Poll admin_embed.php access ||
cve,2003-1181 || nessus,11487
2290 || SERVER-WEBAPP Advanced Poll admin_help.php access || bugtraq,8890
|| cve,2003-1178 || cve,2003-1179 || cve,2003-1180 || cve,2003-1181 ||
nessus,11487
2291 || SERVER-WEBAPP Advanced Poll admin_license.php access ||
cve,2003-1181 || nessus,11487
2292 || SERVER-WEBAPP Advanced Poll admin_logout.php access ||
cve,2003-1181 || nessus,11487
2293 || SERVER-WEBAPP Advanced Poll admin_password.php access ||
cve,2003-1181 || nessus,11487
2294 || SERVER-WEBAPP Advanced Poll admin_preview.php access ||
cve,2003-1181 || nessus,11487
2295 || SERVER-WEBAPP Advanced Poll admin_settings.php access ||

cve,2003-1181 || nessus,11487
2296 || SERVER-WEBAPP Advanced Poll admin_stats.php access ||
cve,2003-1181 || nessus,11487
2297 || SERVER-WEBAPP Advanced Poll admin_templates_misc.php access ||
cve,2003-1181 || nessus,11487
2298 || SERVER-WEBAPP Advanced Poll admin_templates.php access ||
cve,2003-1181 || nessus,11487
2299 || SERVER-WEBAPP Advanced Poll admin_tpl_misc_new.php access ||
cve,2003-1181 || nessus,11487
2300 || SERVER-WEBAPP Advanced Poll admin_tpl_new.php access ||
cve,2003-1181 || nessus,11487
2301 || SERVER-WEBAPP Advanced Poll booth.php access || bugtraq,8890 ||
cve,2003-1178 || cve,2003-1179 || cve,2003-1180 || cve,2003-1181 ||
nessus,11487
2302 || SERVER-WEBAPP Advanced Poll poll_ssi.php access || bugtraq,8890
|| cve,2003-1178 || cve,2003-1179 || cve,2003-1180 || cve,2003-1181 ||
nessus,11487
2303 || SERVER-WEBAPP Advanced Poll popup.php access || bugtraq,8890 ||
cve,2003-1178 || cve,2003-1179 || cve,2003-1180 || cve,2003-1181 ||
nessus,11487
2304 || SERVER-WEBAPP files.inc.php access || bugtraq,8910 || cve,20031153
2305 || SERVER-WEBAPP chatbox.php access || bugtraq,8930 || cve,2003-1191
2306 || SERVER-WEBAPP gallery remote file include attempt || bugtraq,8814
|| cve,2003-1227 || nessus,11876
2307 || SERVER-WEBAPP PayPal Storefront remote file include attempt ||
2317 || INDICATOR-COMPROMISE CVS non-relative path error response ||
2318 || SERVER-OTHER CVS non-relative path access attempt || bugtraq,9178
|| cve,2003-0977 || nessus,11947
2319 || SERVER-OTHER ebola PASS overflow attempt || bugtraq,9156
2320 || SERVER-OTHER ebola USER overflow attempt || bugtraq,9156
2321 || SERVER-IIS foxweb.exe access || nessus,11939
2322 || SERVER-IIS foxweb.dll access || nessus,11939
2323 || SERVER-WEBAPP iSoft-Solutions QuickStore shopping cart
quickstore.cgi access || bugtraq,9282 || nessus,11975
2324 || SERVER-IIS VP-ASP shopsearch.asp access || bugtraq,9133 ||
2325 || SERVER-IIS VP-ASP ShopDisplayProducts.asp access || bugtraq,9133
2326 || SERVER-IIS sgdynamo.exe access || bugtraq,4720 || cve,2002-0375
|| nessus,11955
2327 || SERVER-WEBAPP bsml.pl access || bugtraq,9311 || nessus,11973
2328 || SERVER-WEBAPP authentication_index.php access || cve,2004-0032 ||
nessus,11982
2329 || SERVER-MSSQL probe response overflow attempt || bugtraq,9407 ||

2330 || PROTOCOL-IMAP auth overflow attempt || bugtraq,8861 || cve,20031177 || nessus,11910
2331 || SERVER-WEBAPP MatrikzGB privilege escalation attempt ||
bugtraq,8430
2332 || PROTOCOL-FTP MKD format string attempt || bugtraq,9262
2333 || PROTOCOL-FTP RENAME format string attempt || bugtraq,9262
2334 || PROTOCOL-FTP Yak! FTP server default account login attempt ||
bugtraq,9072
2335 || PROTOCOL-FTP RMD / attempt || bugtraq,9159
2337 || PROTOCOL-TFTP PUT filename overflow attempt || bugtraq,20131 ||
cve,2006-4948 || cve,2008-1611 || cve,2009-2957 || cve,2009-2958 ||
nessus,18264
2338 || PROTOCOL-FTP LIST buffer overflow attempt || bugtraq,10181 ||
bugtraq,7251 || bugtraq,7861 || bugtraq,8486 || bugtraq,9675 || cve,19990349 || cve,1999-1510 || cve,2000-0129 || cve,2004-1992 || cve,2005-2373
|| cve,2007-0019 || cve,2009-0351 || url,technet.microsoft.com/enus/security/bulletin/MS99-003
2339 || PROTOCOL-TFTP NULL command attempt || bugtraq,7575
2340 || PROTOCOL-FTP SITE CHMOD overflow attempt || bugtraq,10181 ||
2341 || SERVER-WEBAPP DCP-Portal remote file include editor script
attempt || bugtraq,6525
2342 || SERVER-WEBAPP DCP-Portal remote file include lib script attempt
|| bugtraq,6525
2343 || PROTOCOL-FTP STOR overflow attempt || bugtraq,8668 || cve,20000133 || url,osvdb.org/show/osvdb/94624
2344 || PROTOCOL-FTP XCWD overflow attempt || bugtraq,11542 ||
bugtraq,8704 || cve,2004-2728
2345 || SERVER-WEBAPP PhpGedView search.php access || bugtraq,9369 ||
cve,2004-0032
2346 || SERVER-WEBAPP myPHPNuke chatheader.php access || bugtraq,6544
2347 || SERVER-WEBAPP myPHPNuke partner.php access || bugtraq,6544
2353 || SERVER-WEBAPP IdeaBox cord.php file include || bugtraq,7488
2354 || SERVER-WEBAPP IdeaBox notification.php file include ||
bugtraq,7488
2355 || SERVER-WEBAPP Invision Board emailer.php file include ||
bugtraq,7204
2356 || SERVER-WEBAPP WebChat db_mysql.php file include || bugtraq,7000
|| cve,2007-0485
2357 || SERVER-WEBAPP WebChat english.php file include || bugtraq,7000 ||
cve,2007-0485
2358 || SERVER-WEBAPP Typo3 translations.php file include || bugtraq,6984
2359 || SERVER-WEBAPP Invision Board ipchat.php file include ||
bugtraq,6976 || cve,2003-1385
2360 || SERVER-WEBAPP myphpPagetool pt_config.inc file include ||
bugtraq,6744
2361 || SERVER-WEBAPP news.php file include || bugtraq,6674
2362 || SERVER-WEBAPP YaBB SE packages.php file include || bugtraq,6663
2363 || SERVER-WEBAPP Cyboards default_header.php access || bugtraq,6597
2364 || SERVER-WEBAPP Cyboards options_form.php access || bugtraq,6597

2365 || SERVER-WEBAPP newsPHP Language file include attempt ||
bugtraq,8488
2366 || SERVER-WEBAPP PhpGedView PGV authentication_index.php base
directory manipulation attempt || bugtraq,9368 || cve,2004-0030
2367 || SERVER-WEBAPP PhpGedView PGV functions.php base directory
manipulation attempt || bugtraq,9368 || cve,2004-0030
2368 || SERVER-WEBAPP PhpGedView PGV config_gedcom.php base directory
manipulation attempt || bugtraq,9368 || cve,2004-0030
2369 || SERVER-WEBAPP ISAPISkeleton.dll access || bugtraq,9516 ||
cve,2004-2128
2370 || SERVER-WEBAPP BugPort config.conf file access || bugtraq,9542 ||
cve,2004-2353
2371 || SERVER-WEBAPP Sample_showcode.html access || bugtraq,9555 ||
cve,2004-2170
2372 || SERVER-WEBAPP Photopost PHP Pro showphoto.php access ||
bugtraq,9557 || cve,2004-0239 || cve,2004-0250
2373 || PROTOCOL-FTP XMKD overflow attempt || bugtraq,7909 || cve,20000133 || cve,2001-1021
2374 || PROTOCOL-FTP NLST overflow attempt || bugtraq,7909 || cve,19991544 || cve,2009-3023 || url,technet.microsoft.com/enus/security/bulletin/MS09-053 || url,www.kb.cert.org/vuls/id/276653
2375 || MALWARE-CNC DoomJuice/mydoom.a backdoor upload/execute ||
url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.h
tml
2376 || SERVER-OTHER ISAKMP first payload certificate request length
2377 || SERVER-OTHER ISAKMP second payload certificate request length
2378 || SERVER-OTHER ISAKMP third payload certificate request length
2379 || SERVER-OTHER ISAKMP forth payload certificate request length
2380 || SERVER-OTHER ISAKMP fifth payload certificate request length
2381 || SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string
vulnerability attempt || bugtraq,9581 || cve,2004-0039 || nessus,12084
2382 || OS-WINDOWS SMB Session Setup NTLMSSP asn1 overflow attempt ||
bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 ||
2383 || OS-WINDOWS SMB-DS Session Setup NTLMSSP asn1 overflow attempt ||
bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 ||
2386 || SERVER-IIS NTLM ASN1 vulnerability scan attempt || bugtraq,9633
|| bugtraq,9635 || cve,2003-0818 || nessus,12052 || nessus,12055 ||
2388 || SERVER-WEBAPP Apple QuickTime streaming server view_broadcast.cgi
access || bugtraq,8257 || cve,2003-0422
2389 || PROTOCOL-FTP RNTO overflow attempt || bugtraq,15457 ||
cve,2005-3683
2390 || PROTOCOL-FTP STOU overflow attempt || bugtraq,8315 || cve,20030466

2391 || PROTOCOL-FTP APPE overflow attempt || bugtraq,8315 ||
2392 || PROTOCOL-FTP RETR overflow attempt || bugtraq,15457 ||
cve,2004-0298 || cve,2005-3683
2393 || SERVER-WEBAPP /_admin access || bugtraq,9537 || cve,2007-1156 ||
nessus,12032
2394 || SERVER-WEBAPP Compaq web-based management agent denial of service
attempt || bugtraq,8014
2395 || SERVER-WEBAPP InteractiveQuery.jsp access || bugtraq,8938 ||
cve,2003-0624
2396 || SERVER-WEBAPP CCBill whereami.cgi arbitrary command execution
attempt || bugtraq,8095 || url,secunia.com/advisories/9191/
2397 || SERVER-WEBAPP CCBill whereami.cgi access || bugtraq,8095 ||
url,secunia.com/advisories/9191/
2398 || SERVER-WEBAPP WAnewsletter newsletter.php file include attempt ||
bugtraq,6965
2399 || SERVER-WEBAPP WAnewsletter db_type.php access || bugtraq,6964
2400 || SERVER-WEBAPP edittag.pl access || bugtraq,6675 || cve,2003-1351
2401 || NETBIOS SMB Session Setup andx username overflow attempt ||
bugtraq,9752 || cve,2004-0193 ||
url,www.eeye.com/html/Research/Advisories/AD20040226.html
2402 || NETBIOS SMB-DS Session Setup andx username overflow attempt ||
bugtraq,9752 || cve,2004-0193 ||
2403 || NETBIOS SMB Session Setup unicode username overflow attempt ||
bugtraq,9752 || cve,2004-0193 ||
2404 || NETBIOS SMB-DS Session Setup unicode andx username overflow
2405 || SERVER-WEBAPP phptest.php access || bugtraq,9737 || cve,2004-2374
2406 || PROTOCOL-TELNET APC SmartSlot default admin account attempt ||
2407 || SERVER-WEBAPP util.pl access || bugtraq,9748 || cve,2004-2379
2408 || SERVER-WEBAPP Invision Power Board search.pl access ||
bugtraq,9766 || cve,2004-0338
2409 || PROTOCOL-POP APOP USER overflow attempt || bugtraq,9794 ||
cve,2004-2375
2410 || SERVER-WEBAPP IGeneric Free Shopping Cart page.php access ||
bugtraq,9773
2411 || SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer
overflow attempt || bugtraq,8476 || cve,2003-0725 || nessus,11642 ||
url,www.service.real.com/help/faq/security/rootexploit091103.html
2412 || INDICATOR-COMPROMISE successful cross site scripting forced
download attempt
2413 || SERVER-OTHER ISAKMP delete hash with empty hash attempt ||
2414 || SERVER-OTHER ISAKMP initial contact notification without SPI
attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164
2415 || SERVER-OTHER ISAKMP second payload initial contact notification
without SPI attempt || bugtraq,9416 || bugtraq,9417 || cve,2004-0164
2416 || PROTOCOL-FTP invalid MDTM command attempt || bugtraq,9751 ||

cve,2001-1021 || cve,2004-0330
2417 || PROTOCOL-FTP format string attempt || bugtraq,15352 ||
cve,2009-4769 || url,osvdb.org/show/osvdb/33813
2418 || POLICY-OTHER Microsoft Windows Terminal Server no encryption
session initiation attempt || cve,2001-0663 ||
2419 || FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download
request || url,en.wikipedia.org/wiki/.ram
2420 || FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download
2422 || FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download
2423 || FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download
2424 || PROTOCOL-NNTP sendsys overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2425 || PROTOCOL-NNTP senduuname overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2426 || PROTOCOL-NNTP version overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2427 || PROTOCOL-NNTP checkgroups overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2428 || PROTOCOL-NNTP ihave overflow attempt || bugtraq,9382 || cve,20040045 || nessus,11984
2429 || PROTOCOL-NNTP sendme overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2430 || PROTOCOL-NNTP newgroup overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2431 || PROTOCOL-NNTP rmgroup overflow attempt || bugtraq,9382 ||
cve,2004-0045 || nessus,11984
2432 || PROTOCOL-NNTP article post without path attempt
2433 || SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt ||
bugtraq,9317 || cve,2003-1200 || url,secunia.com/advisories/10512/
2434 || SERVER-WEBAPP MDaemon form2raw.cgi access || bugtraq,9317 ||
cve,2003-1200 || url,secunia.com/advisories/10512/
2435 || FILE-IDENTIFY Microsoft emf file download request ||
cve,2007-5746 || url,technet.microsoft.com/en-us/security/bulletin/MS04011 || url,technet.microsoft.com/en-us/security/bulletin/MS04-032 ||
2436 || FILE-IDENTIFY Microsoft Windows Audio wmf file download request
|| url,en.wikipedia.org/wiki/.wmf
2437 || FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript
command attempt || bugtraq,8453 || bugtraq,9378 || cve,2003-0726
2438 || FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL
overflow attempt || bugtraq,13264 || bugtraq,9579 || cve,2004-0258 ||
cve,2005-0755
2439 || FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL
cve,2005-0755
2440 || FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL

cve,2005-0755
2441 || SERVER-WEBAPP NetObserve authentication bypass attempt ||
bugtraq,9319
2446 || SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS
Witty Worm || cve,2004-0362 ||
2447 || SERVER-WEBAPP ServletManager access || bugtraq,3697 || cve,20011195 || nessus,12122
2448 || SERVER-WEBAPP setinfo.hts access || bugtraq,9973 || cve,2004-1857
|| nessus,12120
2449 || PROTOCOL-FTP ALLO overflow attempt || bugtraq,9953 || cve,20041883 || nessus,14598
2450 || POLICY-SOCIAL Yahoo IM successful logon
2451 || POLICY-SOCIAL Yahoo IM voicechat
2452 || POLICY-SOCIAL Yahoo IM ping
2453 || POLICY-SOCIAL Yahoo IM conference invitation
2454 || POLICY-SOCIAL Yahoo IM conference logon success
2455 || POLICY-SOCIAL Yahoo IM conference message
2456 || POLICY-SOCIAL Yahoo Messenger File Transfer Receive Request
2457 || POLICY-SOCIAL Yahoo IM message
2458 || POLICY-SOCIAL Yahoo IM successful chat join
2459 || POLICY-SOCIAL Yahoo IM conference offer invitation
2460 || POLICY-SOCIAL Yahoo IM conference request
2461 || POLICY-SOCIAL Yahoo IM conference watch
2462 || SERVER-OTHER Ethereal IGMP IGAP account overflow attempt ||
bugtraq,9952 || cve,2004-0176 || cve,2004-0367
2463 || SERVER-OTHER Ethereal IGMP IGAP message overflow attempt ||
bugtraq,9952 || cve,2004-0176 || cve,2004-0367
2464 || SERVER-OTHER Ethereal EIGRP prefix length overflow attempt ||
bugtraq,9952 || cve,2004-0176 || cve,2004-0367
2474 || NETBIOS SMB-DS ADMIN$ share access
2484 || SERVER-WEBAPP source.jsp access || nessus,12119
2485 || BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX
clsid access || bugtraq,9916 || cve,2004-0363 ||
2486 || SERVER-OTHER ISAKMP invalid identification payload attempt ||
bugtraq,10004 || cve,2004-0184
2487 || SERVER-MAIL WinZip MIME content-type buffer overflow ||
2488 || SERVER-MAIL WinZip MIME content-disposition buffer overflow ||
2489 || SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt ||
bugtraq,9978 || cve,2004-1868
2490 || SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt ||
bugtraq,9978 || cve,2004-1868
2508 || OS-WINDOWS DCERPC NCACN-IP-TCP lsass
DsRolerUpgradeDownlevelServer overflow attempt || bugtraq,10108 ||
2511 || OS-WINDOWS DCERPC NCADG-IP-UDP lsass
DsRolerUpgradeDownlevelServer overflow attempt || bugtraq,10108 ||

2523 || SERVER-OTHER BGP spoofed connection reset attempt ||
bugtraq,10183 || cve,2004-0230 ||
url,www.uniras.gov.uk/vuls/2004/236929/index.htm
2545 || SERVER-OTHER AFP FPLoginExt username buffer overflow attempt ||
bugtraq,10271 || cve,2004-0430 ||
url,www.atstake.com/research/advisories/2004/a050304-1.txt
2546 || PROTOCOL-FTP MDTM overflow attempt || bugtraq,9751 || cve,20011021 || cve,2004-0330 || nessus,12080
2547 || SERVER-OTHER HP Web JetAdmin remote file upload attempt ||
bugtraq,9971 || cve,2004-1856
2548 || SERVER-OTHER HP Web JetAdmin setinfo access || bugtraq,9972 ||
cve,2004-1857 || nessus,12120
2549 || SERVER-OTHER HP Web JetAdmin file write attempt || bugtraq,9973
2550 || FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt ||
cve,2004-1896 || url,www.securityfocus.com/bid/10045
2551 || SERVER-OTHER Oracle Web Cache GET overflow attempt ||
2552 || SERVER-OTHER Oracle Web Cache HEAD overflow attempt ||
2553 || SERVER-OTHER Oracle Web Cache PUT overflow attempt ||
2554 || SERVER-OTHER Oracle Web Cache POST overflow attempt ||
2555 || SERVER-OTHER Oracle Web Cache TRACE overflow attempt ||
2556 || SERVER-OTHER Oracle Web Cache DELETE overflow attempt ||
2557 || SERVER-OTHER Oracle Web Cache LOCK overflow attempt ||
2558 || SERVER-OTHER Oracle Web Cache MKCOL overflow attempt ||
2559 || SERVER-OTHER Oracle Web Cache COPY overflow attempt ||
2560 || SERVER-OTHER Oracle Web Cache MOVE overflow attempt ||
2561 || SERVER-OTHER rsync backup-dir directory traversal attempt ||
2562 || SERVER-WEBAPP McAfee ePO file upload attempt || bugtraq,10200 ||
cve,2004-0038
2563 || NETBIOS NS lookup response name overflow attempt || bugtraq,10333
|| cve,2004-0444 ||
url,www.eeye.com/html/Research/Advisories/AD20040512A.html
2564 || NETBIOS NS lookup short response attempt || bugtraq,10335 ||
cve,2004-0444 ||
url,www.eeye.com/html/Research/Advisories/AD20040512C.html
2565 || SERVER-WEBAPP modules.php access || bugtraq,9879 || cve,2004-1817
2566 || SERVER-WEBAPP PHPBB viewforum.php access || bugtraq,9865 ||
2567 || SERVER-WEBAPP Emumail init.emu access || bugtraq,9861 ||
cve,2004-2334 || cve,2004-2385 || nessus,12095
2568 || SERVER-WEBAPP Emumail emumail.fcgi access || bugtraq,9861 ||
cve,2004-2334 || cve,2004-2385 || nessus,12095
2569 || SERVER-WEBAPP cPanel resetpass access || bugtraq,9848 ||

cve,2004-1769
2570 || SERVER-WEBAPP Invalid HTTP Version String || bugtraq,34240 ||
2571 || SERVER-IIS SmarterTools SmarterMail frmGetAttachment.aspx access
|| bugtraq,9805 || cve,2004-2585
2572 || SERVER-IIS SmarterTools SmarterMail login.aspx buffer overflow
2573 || SERVER-IIS SmarterTools SmarterMail frmCompose.asp access ||
bugtraq,9805 || cve,2004-2585
2574 || PROTOCOL-FTP RETR format string attempt || bugtraq,9800 ||
cve,2004-1883
2575 || SERVER-WEBAPP Opt-X header.php remote file include attempt ||
bugtraq,9732 || cve,2004-2368
2576 || SERVER-ORACLE dbms_repcat.generate_replication_support buffer
overflow attempt || url,www.appsecinc.com/Policy/PolicyCheck93.html
2577 || FILE-OTHER local resource redirection attempt || cve,2004-0549 ||
2578 || SERVER-OTHER kerberos principal name overflow UDP || cve,20030072 || nessus,11512 || url,web.mit.edu/kerberos/www/advisories/MITKRB5SA-2003-005-buf.txt
2579 || SERVER-OTHER kerberos principal name overflow TCP || cve,20030072 || nessus,11512 || url,web.mit.edu/kerberos/www/advisories/MITKRB5SA-2003-005-buf.txt
2580 || SERVER-WEBAPP server negative Content-Length attempt ||
bugtraq,10508 || cve,2004-0492 || url,www.guninski.com/modproxy1.html
2581 || SERVER-WEBAPP SAP Crystal Reports crystalimagehandler.aspx access
|| cve,2004-0204 ||
url,www.microsoft.com/security/bulletins/200406_crystal.mspx
2582 || OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory
traversal attempt || bugtraq,10260 || cve,2004-0204 || nessus,12271 ||
2583 || SERVER-OTHER CVS Max-dotdot integer overflow attempt ||
bugtraq,10499 || cve,2004-0417
2584 || SERVER-OTHER eMule buffer overflow attempt || bugtraq,10039 ||
cve,2004-1892 || nessus,12233
2585 || SERVER-WEBAPP nessus 2.x 404 probe || nessus,10386
2587 || PUA-P2P eDonkey server response || url,www.emule-project.net
2588 || SERVER-WEBAPP TUTOS path disclosure attempt || bugtraq,10129 ||
url,www.securiteam.com/unixfocus/5FP0J15CKE.html
2589 || OS-WINDOWS Microsoft Windows Content-Disposition CLSID command
attempt || bugtraq,9510 || cve,2004-0420 || url,technet.microsoft.com/enus/security/bulletin/ms04-024
2597 || SERVER-WEBAPP Samba SWAT Authorization overflow attempt ||
bugtraq,10780 || cve,2004-0600
2598 || SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt
|| bugtraq,10780 || cve,2004-0600
2599 || SERVER-ORACLE dbms_repcat.add_grouped_column buffer overflow
attempt
2601 || SERVER-ORACLE dbms_repcat.drop_master_repgroup buffer overflow
attempt
2603 || SERVER-ORACLE dbms_repcat.create_mview_repgroup buffer overflow
attempt || url,www.appsecinc.com/Policy/PolicyCheck633.html
2605 || SERVER-ORACLE dbms_repcat.compare_old_values buffer overflow

2606 || SERVER-ORACLE dbms_repcat.comment_on_repobject buffer overflow
2608 || SERVER-ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow
2609 || SERVER-ORACLE dbms_repcat.cancel_statistics buffer overflow
attempt
2611 || SERVER-ORACLE LINK metadata buffer overflow attempt ||
nessus,11563 || url,archives.neohapsis.com/archives/bugtraq/200304/0360.html
2612 || SERVER-ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer
2614 || SERVER-ORACLE time_zone buffer overflow attempt || bugtraq,9587
|| cve,2003-1208 || nessus,12047 ||
url,www.nextgenss.com/advisories/ora_time_zone.txt
2615 || SERVER-ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer
2617 || SERVER-ORACLE sys.dbms_repcat.alter_mview_propagation buffer
2619 || SERVER-ORACLE dbms_repcat.alter_master_repobject buffer overflow
2621 || SERVER-ORACLE dbms_repcat_sna_utl.register_flavor_change buffer
2624 || SERVER-ORACLE dbms_repcat_admin.unregister_user_repgroup buffer
2626 || SERVER-ORACLE dbms_repcat.send_old_values buffer overflow attempt
|| url,www.appsecinc.com/Policy/PolicyCheck91.html
2627 || SERVER-ORACLE dbms_repcat.repcat_import_check buffer overflow
2629 || SERVER-ORACLE dbms_repcat_admin.register_user_repgroup buffer
2633 || SERVER-ORACLE sys.dbms_rectifier_diff.rectify buffer overflow
2637 || SERVER-ORACLE dbms_repcat.drop_master_repobject buffer overflow
2639 || SERVER-ORACLE dbms_repcat.drop_mview_repgroup buffer overflow
2641 || SERVER-ORACLE dbms_repcat_instantiate.drop_site_instantiation
buffer overflow attempt
2643 || SERVER-ORACLE sys.dbms_repcat_fla.ensure_not_published buffer
2644 || SERVER-ORACLE from_tz buffer overflow attempt ||
url,www.nextgenss.com/advisories/ora_from_tz.txt
2645 || SERVER-ORACLE dbms_repcat_instantiate.instantiate_offline buffer
overflow attempt
2649 || SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer
Overflow attempt || cve,2002-0965
2650 || SERVER-ORACLE user name buffer overflow attempt || bugtraq,6849
|| cve,2003-0095 ||
url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf ||
url,www.appsecinc.com/Policy/PolicyCheck62.html
2651 || SERVER-ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow

url,www.nextgenss.com/advisories/ora_numtodsinterval.txt ||
url,www.nextgenss.com/advisories/ora_numtoyminterval.txt
2652 || SERVER-ORACLE dbms_offline_og.begin_load buffer overflow attempt
|| url,www.appsecinc.com/Policy/PolicyCheck632.html ||
url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
2654 || SERVER-WEBAPP PHPNuke Forum viewtopic SQL insertion attempt ||
bugtraq,7193
2655 || SERVER-OTHER HP Web JetAdmin ExecuteFile admin access ||
bugtraq,10224
2656 || SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow
2657 || SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length
overflow attempt
2663 || SERVER-WEBAPP Ipswitch WhatsUpGold instancename overflow attempt
|| bugtraq,11043 || cve,2004-0798
2664 || PROTOCOL-IMAP login format string attempt || bugtraq,10976 ||
cve,2004-0777
2665 || PROTOCOL-IMAP login literal format string attempt ||
bugtraq,10976 || cve,2007-0221 || url,technet.microsoft.com/enus/security/bulletin/MS07-026
2666 || PROTOCOL-POP PASS format string attempt || bugtraq,10976 ||
cve,2004-0777
2667 || SERVER-IIS ping.asp access || nessus,10968
2668 || SERVER-WEBAPP processit access || nessus,10649
2669 || SERVER-WEBAPP ibillpm.pl access || bugtraq,3476 || cve,2001-0839
|| nessus,11083
2670 || SERVER-WEBAPP pgpmail.pl access || bugtraq,3605 || cve,2001-0937
|| nessus,11070
2671 || BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset
integer overflow attempt || bugtraq,9663 || cve,2004-0566 ||
2672 || SERVER-WEBAPP sresult.exe access || bugtraq,10837 || cve,20042528 || nessus,14186
2673 || FILE-IMAGE libpng tRNS overflow attempt || bugtraq,10872 ||
cve,2004-0597
2674 || SERVER-ORACLE dbms_repcat.add_delete_resolution buffer overflow
attempt
2675 || SERVER-ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow
attempt
2677 || SERVER-ORACLE dbms_repcat_rgt.instantiate_online buffer overflow
attempt
2678 || SERVER-ORACLE ctx_output.start_log buffer overflow attempt
2679 || SERVER-ORACLE sys.dbms_system.ksdwrt buffer overflow attempt
2680 || SERVER-ORACLE ctxsys.driddlr.subindexpopulate buffer overflow
attempt
2681 || SERVER-ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow
attempt
2682 || SERVER-ORACLE mdsys.md2.validate_geom buffer overflow attempt
2683 || SERVER-ORACLE mdsys.md2.sdo_code_size buffer overflow attempt
2684 || SERVER-ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt
2685 || SERVER-ORACLE sys.dbms_repcat_rq.add_column buffer overflow
attempt
2686 || SERVER-ORACLE sys.dbms_rectifier_diff.differences buffer overflow

attempt || bugtraq,10871 || cve,2004-1362 || cve,2004-1363 || cve,20041364 || cve,2004-1365 || cve,2004-1366 || cve,2004-1368 || cve,2004-1369
|| cve,2004-1370 || cve,2004-1371 ||
url,www.appsecinc.com/Policy/PolicyCheck97.html
2687 || SERVER-ORACLE sys.dbms_internal_repcat.validate buffer overflow
attempt
2688 || SERVER-ORACLE sys.dbms_internal_repcat.enable_receiver_trace
2689 || SERVER-ORACLE sys.dbms_internal_repcat.disable_receiver_trace
2690 || SERVER-ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink
2691 || SERVER-ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery
2692 || SERVER-ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer
overflow attempt
2693 || SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer
overflow attempt
2694 || SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer
overflow attempt
2695 || SERVER-ORACLE sys.dbms_aq_import_internal.aq_table_defn_update
2696 || SERVER-ORACLE sys.dbms_repcat_utl.is_master buffer overflow
attempt
2697 || SERVER-ORACLE alter file buffer overflow attempt
2698 || SERVER-ORACLE create file buffer overflow attempt
2699 || SERVER-ORACLE TO_CHAR buffer overflow attempt || bugtraq,10871 ||
cve,2004-1364
2701 || SERVER-WEBAPP Oracle iSQLPlus sid overflow attempt ||
cve,2004-1365 || cve,2004-1366 || cve,2004-1368 || cve,2004-1369 ||
cve,2004-1370 || cve,2004-1371 || url,www.nextgenss.com/advisories/oraisqlplus.txt
2702 || SERVER-WEBAPP Oracle iSQLPlus username overflow attempt ||
cve,2004-1365 || cve,2004-1366 || cve,2004-1368 || cve,2004-1369 ||
2703 || SERVER-WEBAPP Oracle iSQLPlus login.uix username overflow attempt
|| bugtraq,10871 || cve,2004-1362 || cve,2004-1363 || cve,2004-1364 ||
cve,2004-1365 || cve,2004-1366 || cve,2004-1368 || cve,2004-1369 ||
2704 || SERVER-WEBAPP Oracle 10g iSQLPlus login.unix connectID overflow
attempt || bugtraq,10871 || cve,2004-1362 || cve,2004-1363 || cve,20041364 || cve,2004-1365 || cve,2004-1366 || cve,2004-1368 || cve,2004-1369
|| cve,2004-1370 || cve,2004-1371 ||
url,www.nextgenss.com/advisories/ora-isqlplus.txt
2705 || FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow
url,www.microsoft.com/security/bulletins/200409_jpeg.mspx
2707 || FILE-IMAGE JPEG parser multipacket heap overflow attempt ||

2708 || SERVER-ORACLE dbms_offline_og.begin_flavor_change buffer overflow
attempt || url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html
2709 || SERVER-ORACLE dbms_offline_og.begin_instantiation buffer overflow
2711 || SERVER-ORACLE dbms_offline_og.end_flavor_change buffer overflow
2712 || SERVER-ORACLE dbms_offline_og.end_instantiation buffer overflow
2713 || SERVER-ORACLE dbms_offline_og.end_load buffer overflow attempt ||
2714 || SERVER-ORACLE dbms_offline_og.resume_subset_of_masters buffer
overflow attempt || url,www.appsecinc.com/resources/alerts/oracle/20040001/25.html
2715 || SERVER-ORACLE dbms_offline_snapshot.begin_load buffer overflow
2716 || SERVER-ORACLE dbms_offline_snapshot.end_load buffer overflow
attempt || url,www.appsecinc.com/Policy/PolicyCheck632.html ||
2717 || SERVER-ORACLE dbms_rectifier_diff.differences buffer overflow
2718 || SERVER-ORACLE dbms_rectifier_diff.rectify buffer overflow attempt
|| url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html
2719 || SERVER-ORACLE dbms_repcat.abort_flavor_definition buffer overflow
2720 || SERVER-ORACLE dbms_repcat.add_column_group_to_flavor buffer
2721 || SERVER-ORACLE dbms_repcat.add_columns_to_flavor buffer overflow
2722 || SERVER-ORACLE dbms_repcat.add_object_to_flavor buffer overflow
2723 || SERVER-ORACLE dbms_repcat.add_priority_char buffer overflow
2724 || SERVER-ORACLE dbms_repcat.add_priority_date buffer overflow
2725 || SERVER-ORACLE dbms_repcat.add_priority_nchar buffer overflow
2726 || SERVER-ORACLE dbms_repcat.add_priority_number buffer overflow

2727 || SERVER-ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow
2728 || SERVER-ORACLE dbms_repcat.add_priority_raw buffer overflow
2729 || SERVER-ORACLE dbms_repcat.add_priority_varchar2 buffer overflow
2730 || SERVER-ORACLE dbms_repcat.add_site_priority_site buffer overflow
2731 || SERVER-ORACLE dbms_repcat.add_unique_resolution buffer overflow
2732 || SERVER-ORACLE dbms_repcat.add_update_resolution buffer overflow
2733 || SERVER-ORACLE dbms_repcat.alter_master_propagation buffer
2734 || SERVER-ORACLE dbms_repcat.alter_mview_propagation buffer overflow
2735 || SERVER-ORACLE dbms_repcat.alter_priority_char buffer overflow
2736 || SERVER-ORACLE dbms_repcat.alter_priority_date buffer overflow
2737 || SERVER-ORACLE dbms_repcat.alter_priority_nchar buffer overflow
2738 || SERVER-ORACLE dbms_repcat.alter_priority_number buffer overflow
2739 || SERVER-ORACLE dbms_repcat.alter_priority_nvarchar2 buffer
2740 || SERVER-ORACLE dbms_repcat.alter_priority_raw buffer overflow
2741 || SERVER-ORACLE dbms_repcat.alter_priority buffer overflow attempt
2742 || SERVER-ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow
2743 || SERVER-ORACLE dbms_repcat.alter_site_priority_site buffer
2744 || SERVER-ORACLE dbms_repcat.alter_site_priority buffer overflow

2745 || SERVER-ORACLE dbms_repcat.alter_snapshot_propagation buffer
2746 || SERVER-ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer
2747 || SERVER-ORACLE dbms_repcat.begin_flavor_definition buffer overflow
2748 || SERVER-ORACLE dbms_repcat.comment_on_column_group buffer overflow
2749 || SERVER-ORACLE dbms_repcat.comment_on_delete_resolution buffer
2750 || SERVER-ORACLE dbms_repcat.comment_on_mview_repsites buffer
2751 || SERVER-ORACLE dbms_repcat.comment_on_priority_group buffer
2752 || SERVER-ORACLE dbms_repcat.comment_on_repgroup buffer overflow
2753 || SERVER-ORACLE dbms_repcat.comment_on_repsites buffer overflow
2754 || SERVER-ORACLE dbms_repcat.comment_on_site_priority buffer
2755 || SERVER-ORACLE dbms_repcat.comment_on_unique_resolution buffer
2756 || SERVER-ORACLE dbms_repcat.comment_on_update_resolution buffer
2757 || SERVER-ORACLE dbms_repcat.create_master_repgroup buffer overflow
2758 || SERVER-ORACLE dbms_repcat.create_master_repobject buffer overflow
2759 || SERVER-ORACLE dbms_repcat.create_snapshot_repgroup buffer
2760 || SERVER-ORACLE dbms_repcat.define_column_group buffer overflow
2761 || SERVER-ORACLE dbms_repcat.define_priority_group buffer overflow
2762 || SERVER-ORACLE dbms_repcat.define_site_priority buffer overflow

2763 || SERVER-ORACLE dbms_repcat.do_deferred_repcat_admin buffer
2764 || SERVER-ORACLE dbms_repcat.drop_column_group_from_flavor buffer
2765 || SERVER-ORACLE dbms_repcat.drop_column_group buffer overflow
2766 || SERVER-ORACLE dbms_repcat.drop_columns_from_flavor buffer
2767 || SERVER-ORACLE dbms_repcat.drop_delete_resolution buffer overflow
2768 || SERVER-ORACLE dbms_repcat.drop_grouped_column buffer overflow
2769 || SERVER-ORACLE dbms_repcat.drop_mview_repobject buffer overflow
2770 || SERVER-ORACLE dbms_repcat.drop_object_from_flavor buffer overflow
2771 || SERVER-ORACLE dbms_repcat.drop_priority_char buffer overflow
2772 || SERVER-ORACLE dbms_repcat.drop_priority_date buffer overflow
2773 || SERVER-ORACLE dbms_repcat.drop_priority_nchar buffer overflow
2774 || SERVER-ORACLE dbms_repcat.drop_priority_number buffer overflow
2775 || SERVER-ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow
2776 || SERVER-ORACLE dbms_repcat.drop_priority_raw buffer overflow
2777 || SERVER-ORACLE dbms_repcat.drop_priority buffer overflow attempt
2778 || SERVER-ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow
2779 || SERVER-ORACLE dbms_repcat.drop_site_priority_site buffer overflow
2780 || SERVER-ORACLE dbms_repcat.drop_site_priority buffer overflow

2781 || SERVER-ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow
2782 || SERVER-ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow
2783 || SERVER-ORACLE dbms_repcat.drop_unique_resolution buffer overflow
2784 || SERVER-ORACLE dbms_repcat.drop_update_resolution buffer overflow
2785 || SERVER-ORACLE dbms_repcat.execute_ddl buffer overflow attempt ||
2786 || SERVER-ORACLE dbms_repcat.generate_replication_package buffer
2787 || SERVER-ORACLE dbms_repcat_instantiate.instantiate_online buffer
2788 || SERVER-ORACLE dbms_repcat.make_column_group buffer overflow
2789 || SERVER-ORACLE dbms_repcat.obsolete_flavor_definition buffer
2790 || SERVER-ORACLE dbms_repcat.publish_flavor_definition buffer
2791 || SERVER-ORACLE dbms_repcat.purge_flavor_definition buffer overflow
2792 || SERVER-ORACLE dbms_repcat.purge_master_log buffer overflow
2793 || SERVER-ORACLE dbms_repcat.purge_statistics buffer overflow
2794 || SERVER-ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow
2795 || SERVER-ORACLE dbms_repcat.refresh_snapshot_repgroup buffer
2796 || SERVER-ORACLE dbms_repcat.register_mview_repgroup buffer overflow
2797 || SERVER-ORACLE dbms_repcat.register_snapshot_repgroup buffer
2798 || SERVER-ORACLE dbms_repcat.register_statistics buffer overflow

2799 || SERVER-ORACLE dbms_repcat.relocate_masterdef buffer overflow
2800 || SERVER-ORACLE dbms_repcat.rename_shadow_column_group buffer
2801 || SERVER-ORACLE dbms_repcat.resume_master_activity buffer overflow
2802 || SERVER-ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow
2803 || SERVER-ORACLE dbms_repcat_rgt.drop_site_instantiation buffer
2804 || SERVER-ORACLE dbms_repcat.send_and_compare_old_values buffer
2805 || SERVER-ORACLE dbms_repcat.set_columns buffer overflow attempt ||
2806 || SERVER-ORACLE dbms_repcat.set_local_flavor buffer overflow
2807 || SERVER-ORACLE dbms_repcat.specify_new_masters buffer overflow
2808 || SERVER-ORACLE dbms_repcat.suspend_master_activity buffer overflow
2809 || SERVER-ORACLE dbms_repcat.unregister_mview_repgroup buffer
2810 || SERVER-ORACLE dbms_repcat.unregister_snapshot_repgroup buffer
2811 || SERVER-ORACLE dbms_repcat.validate_flavor_definition buffer
2812 || SERVER-ORACLE dbms_repcat.validate_for_local_flavor buffer
2813 || SERVER-ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer
2814 || SERVER-ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer
2815 || SERVER-ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer
2816 || SERVER-ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer

2817 || SERVER-ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor
buffer overflow attempt ||
2818 || SERVER-ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor
2819 || SERVER-ORACLE
sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow
2820 || SERVER-ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor
2821 || SERVER-ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition
2822 || SERVER-ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition
2823 || SERVER-ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition
2824 || SERVER-ORACLE sys.dbms_repcat_fla.set_local_flavor buffer
2825 || SERVER-ORACLE sys.dbms_repcat_fla.validate_flavor_definition
2826 || SERVER-ORACLE sys.dbms_repcat_fla.validate_for_local_flavor
2827 || SERVER-ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer
2828 || SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer
2829 || SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer
2830 || SERVER-ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer
2831 || SERVER-ORACLE sys.dbms_repcat_mas.create_master_repobject buffer
2832 || SERVER-ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer
2833 || SERVER-ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer

2834 || SERVER-ORACLE sys.dbms_repcat_mas.generate_replication_package
2835 || SERVER-ORACLE sys.dbms_repcat_mas.purge_master_log buffer
2836 || SERVER-ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer
2837 || SERVER-ORACLE sys.dbms_repcat_mas.rename_shadow_column_group
2838 || SERVER-ORACLE sys.dbms_repcat_mas.resume_master_activity buffer
2839 || SERVER-ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer
2840 || SERVER-ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation
2841 || SERVER-ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup
url,www.appsecinc.com/Policy/PolicyCheck97.html ||
2842 || SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup
2843 || SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject
2844 || SERVER-ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup
2845 || SERVER-ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup
2846 || SERVER-ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer
sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow
2848 || SERVER-ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer
2849 || SERVER-ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow
2850 || SERVER-ORACLE dbms_repcat.create_mview_repobject buffer overflow

2851 || SERVER-ORACLE dbms_repcat.create_snapshot_repobject buffer
2852 || SERVER-ORACLE dbms_repcat.generate_mview_support buffer overflow
2853 || SERVER-ORACLE dbms_repcat.generate_replication_trigger buffer
2854 || SERVER-ORACLE dbms_repcat.generate_snapshot_support buffer
2855 || SERVER-ORACLE dbms_repcat.remove_master_databases buffer overflow
2856 || SERVER-ORACLE dbms_repcat.switch_mview_master buffer overflow
2857 || SERVER-ORACLE dbms_repcat.switch_snapshot_master buffer overflow
2858 || SERVER-ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer
2859 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_char buffer
2860 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_date buffer
2861 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer
2862 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_number buffer
2863 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer
2864 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_raw buffer
2865 || SERVER-ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer
2866 || SERVER-ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer
2867 || SERVER-ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer
2868 || SERVER-ORACLE sys.dbms_repcat_conf.add_update_resolution buffer

2869 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_char buffer
2870 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_date buffer
2871 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer
2872 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_number buffer
2873 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2
2874 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer
2875 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow
2876 || SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer
2877 || SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority_site
2878 || SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority buffer
2879 || SERVER-ORACLE sys.dbms_repcat_conf.cancel_statistics buffer
2880 || SERVER-ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution
2881 || SERVER-ORACLE sys.dbms_repcat_conf.comment_on_priority_group
2882 || SERVER-ORACLE sys.dbms_repcat_conf.comment_on_site_priority
2883 || SERVER-ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution
2884 || SERVER-ORACLE sys.dbms_repcat_conf.comment_on_update_resolution
2885 || SERVER-ORACLE sys.dbms_repcat_conf.define_priority_group buffer
2886 || SERVER-ORACLE sys.dbms_repcat_conf.define_site_priority buffer

2887 || SERVER-ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer
2888 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_char buffer
2889 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_date buffer
2890 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer
2891 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_number buffer
2892 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer
2893 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer
2894 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow
2895 || SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer
2896 || SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer
2897 || SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority buffer
2898 || SERVER-ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer
2899 || SERVER-ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer
2900 || SERVER-ORACLE sys.dbms_repcat_conf.purge_statistics buffer
2901 || SERVER-ORACLE sys.dbms_repcat_conf.register_statistics buffer
2902 || SERVER-ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation
2903 || SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer
2904 || SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repobject

2905 || SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repschema
2906 || SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer
2907 || SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer
2908 || SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer
2909 || SERVER-ORACLE sys.dbms_repcat_sna.generate_snapshot_support
2910 || SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup
2911 || SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema
2912 || SERVER-ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup
2913 || SERVER-ORACLE sys.dbms_repcat_sna.repcat_import_check buffer
2914 || SERVER-ORACLE sys.dbms_repcat_sna.set_local_flavor buffer
2915 || SERVER-ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer
2916 || SERVER-ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup
2917 || SERVER-ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master
2918 || SERVER-ORACLE sys.dbms_repcat_sna.validate_for_local_flavor
sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow
2921 || PROTOCOL-DNS UDP inverse query || bugtraq,2302 || cve,2001-0010
|| nessus,10605
2922 || PROTOCOL-DNS TCP inverse query || bugtraq,2302 || cve,2001-0010
|| nessus,10605
2923 || NETBIOS SMB repeated logon failure
2924 || NETBIOS SMB-DS repeated logon failure

2926 || SERVER-WEBAPP PhpGedView PGV base directory manipulation ||
bugtraq,9368 || cve,2004-0030
2927 || OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt ||
2936 || OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW
overflow attempt || bugtraq,11372 || cve,2004-0206 ||
2942 || NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt
|| url,msdn.microsoft.com/library/default.asp?url=/library/enus/shutdown/base/initiatesystemshutdown.asp
3000 || OS-WINDOWS SMB Session Setup NTLMSSP unicode asn1 overflow
attempt || bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052
3001 || OS-WINDOWS SMB Session Setup NTLMSSP andx asn1 overflow attempt
|| bugtraq,9633 || bugtraq,9635 || cve,2003-0818 || nessus,12052 ||
3002 || OS-WINDOWS SMB Session Setup NTLMSSP unicode andx asn1 overflow
3003 || OS-WINDOWS SMB-DS Session Setup NTLMSSP unicode asn1 overflow
3004 || OS-WINDOWS SMB-DS Session Setup NTLMSSP andx asn1 overflow
3005 || OS-WINDOWS SMB-DS Session Setup NTLMSSP unicode andx asn1
nessus,12052 || nessus,12065 || url,technet.microsoft.com/enus/security/bulletin/MS04-007
3006 || SERVER-OTHER Volition Freespace 2 buffer overflow attempt ||
bugtraq,9785
3007 || PROTOCOL-IMAP command overflow attempt || bugtraq,11675 ||
cve,2005-0707 || cve,2005-1520 || cve,2005-2923 || cve,2005-3155 ||
nessus,15771
3008 || PROTOCOL-IMAP delete literal overflow attempt || bugtraq,11675 ||
cve,2005-1520 || nessus,15771
3009 || MALWARE-BACKDOOR NetBus Pro 2.0 connection request
3010 || MALWARE-CNC RUX the Tick get windows directory
3011 || MALWARE-CNC RUX the Tick get system directory
3012 || MALWARE-CNC RUX the Tick upload/execute arbitrary file
3013 || MALWARE-CNC Asylum 0.1 connection request
3014 || MALWARE-CNC Asylum 0.1 connection
3015 || MALWARE-CNC Insane Network 4.0 connection
3016 || MALWARE-CNC Insane Network 4.0 connection port 63536
3017 || OS-WINDOWS Microsoft Windows WINS overflow attempt ||
bugtraq,11763 || cve,2004-0567 || cve,2004-1080 ||
url,www.immunitysec.com/downloads/instantanea.pdf
3018 || NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor
3019 || NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor
3020 || NETBIOS SMB NT Trans NT CREATE unicode oversized Security
Descriptor attempt || cve,2004-1154
3021 || NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security
3022 || NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor
3023 || NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security
3024 || NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security
3025 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security
3026 || NETBIOS SMB NT Trans NT CREATE SACL overflow attempt || cve,20041154
3027 || NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt ||
cve,2004-1154
3028 || NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt ||
cve,2004-1154
3029 || NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt
|| cve,2004-1154
3030 || NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt ||
cve,2004-1154
3031 || NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt ||
cve,2004-1154
3032 || NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt
|| cve,2004-1154
3033 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow
3034 || NETBIOS SMB NT Trans NT CREATE DACL overflow attempt || cve,20041154
3035 || NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt ||
cve,2004-1154
3036 || NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt ||
cve,2004-1154
3037 || NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt
|| cve,2004-1154
3038 || NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt ||
cve,2004-1154
3039 || NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt ||
cve,2004-1154
3040 || NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt
|| cve,2004-1154
3041 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow
3042 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
3043 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3044 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos
attempt
3045 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size
dos attempt
3046 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
attempt
3047 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3048 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size
dos attempt
3049 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace
size dos attempt
3050 || NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt
3051 || NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3052 || NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos
attempt
3053 || NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size
dos attempt
3054 || NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos
attempt
3055 || NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos
attempt
3056 || NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size
dos attempt
3057 || NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace
size dos attempt
3058 || PROTOCOL-IMAP copy literal overflow attempt || bugtraq,1110 ||
cve,2000-0284 || nessus,10374
3061 || APP-DETECT distccd remote command execution attempt ||
url,distcc.samba.org/security.html
3062 || SERVER-WEBAPP NetScreen SA 5000 delhomepage.cgi access ||
bugtraq,9791 || cve,2004-0347
3063 || MALWARE-BACKDOOR Vampire 1.2 connection request
3064 || MALWARE-BACKDOOR Vampire 1.2 connection confirmation
3065 || PROTOCOL-IMAP append literal overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3066 || PROTOCOL-IMAP append overflow attempt || bugtraq,11775 ||
3067 || PROTOCOL-IMAP examine literal overflow attempt || bugtraq,11775
|| cve,2004-1211 || nessus,15867
3069 || PROTOCOL-IMAP fetch literal overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3070 || PROTOCOL-IMAP fetch overflow attempt || bugtraq,11775 ||
cve,2004-1211 || nessus,15867
3071 || PROTOCOL-IMAP status literal overflow attempt || bugtraq,11775 ||
3072 || PROTOCOL-IMAP status overflow attempt || bugtraq,11775 ||
3073 || PROTOCOL-IMAP SUBSCRIBE literal overflow attempt || bugtraq,11775
|| bugtraq,15488 || bugtraq,23050 || bugtraq,26219 || cve,2004-1211 ||
cve,2005-3189 || cve,2007-3510 || nessus,15867
3074 || PROTOCOL-IMAP SUBSCRIBE overflow attempt || bugtraq,11775 ||

3075 || PROTOCOL-IMAP unsubscribe literal overflow attempt ||
3076 || PROTOCOL-IMAP UNSUBSCRIBE overflow attempt || bugtraq,11775 ||
3077 || PROTOCOL-FTP RNFR overflow attempt || bugtraq,14339
3078 || PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt
3079 || BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer
overflow attempt || cve,2004-1049 || cve,2007-0038 || cve,2007-1765 ||
3080 || SERVER-OTHER Unreal Tournament secure overflow attempt ||
bugtraq,10570 || cve,2004-0608
3081 || MALWARE-BACKDOOR Y3KRAT 1.5 Connect
3082 || MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response
3083 || MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation
3084 || SERVER-OTHER Veritas backup overflow attempt || bugtraq,11974 ||
cve,2004-1172
3085 || SERVER-OTHER AOL Instant Messenger goaway message buffer overflow
3086 || SERVER-WEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm
access attempt || bugtraq,11408 || cve,2004-1596
3087 || SERVER-IIS w3who.dll buffer overflow attempt || bugtraq,11820 ||
cve,2004-1134
3088 || FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt ||
3089 || SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt ||
bugtraq,12275 || cve,2005-0095
3114 || OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow
3130 || PUA-OTHER Microsoft MSN Messenger png overflow || bugtraq,10872
3131 || SERVER-WEBAPP mailman directory traversal attempt || cve,20050202
3132 || FILE-IMAGE Microsoft and libpng multiple products PNG large image
width overflow attempt || bugtraq,11523 || cve,2004-0990 || cve,2004-1244
|| cve,2007-5503 || url,sourceforge.net/p/pngmng/mailman/message/33173462/ || url,technet.microsoft.com/enus/security/bulletin/MS05-009
3133 || FILE-IMAGE Microsoft Multiple Products PNG large image height
download attempt || bugtraq,11481 || bugtraq,11523 || cve,2004-0599 ||
cve,2004-0990 || cve,2004-1244 || cve,2007-5503 ||
3134 || FILE-IMAGE Microsoft PNG large colour depth download attempt ||
bugtraq,11523 || cve,2004-0990 || cve,2004-1244 ||
3135 || NETBIOS SMB Trans2 QUERY_FILE_INFO attempt
3136 || NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt

3137 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt
3138 || NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt
3139 || NETBIOS SMB Trans2 FIND_FIRST2 attempt
3140 || NETBIOS SMB Trans2 FIND_FIRST2 andx attempt
3141 || NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt
3142 || NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt
3143 || OS-WINDOWS SMB Trans2 FIND_FIRST2 command response overflow
3144 || OS-WINDOWS SMB Trans2 FIND_FIRST2 response andx overflow attempt
3145 || OS-WINDOWS SMB-DS Trans2 FIND_FIRST2 response overflow attempt ||
3146 || OS-WINDOWS SMB-DS Trans2 FIND_FIRST2 response andx overflow
3147 || PROTOCOL-TELNET login buffer overflow attempt || bugtraq,3681 ||
cve,2001-0797 || nessus,10827
3148 || OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access
attempt || bugtraq,11467 || bugtraq,4857 || bugtraq,5874 || cve,2002-0693
|| cve,2002-0823 || cve,2004-1043 || url,technet.microsoft.com/enus/security/bulletin/MS02-055 || url,technet.microsoft.com/enus/security/bulletin/MS05-001 || url,www.ngssoftware.com/advisories/mswinhlp.txt
3149 || BROWSER-IE Microsoft Internet Explorer 5/6 object type overflow
attempt || cve,2003-0344 || url,technet.microsoft.com/enus/security/bulletin/MS03-020
3150 || SERVER-IIS SQLXML content type overflow || bugtraq,5004 ||
cve,2002-0186 || nessus,11304 || url,technet.microsoft.com/enus/security/bulletin/MS02-030 || url,www.westpoint.ltd.uk/advisories/wp02-0007.txt
3151 || PROTOCOL-FINGER / execution attempt || cve,1999-0612 || cve,20000915
3152 || SQL sa brute force failed login attempt || bugtraq,4797 ||
cve,2000-1209 || nessus,10673
3153 || PROTOCOL-DNS TCP inverse query overflow || bugtraq,134 ||
cve,1999-0009
3154 || PROTOCOL-DNS UDP inverse query overflow || bugtraq,134 ||
cve,1999-0009
3155 || MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic
3158 || OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
CoGetInstanceFromFile attempt || cve,2003-0715 ||
3159 || OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator
CoGetInstanceFromFile attempt || cve,2003-0715 ||
3171 || OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow
attempt || cve,2005-0059 || url,technet.microsoft.com/enus/security/bulletin/MS05-017
3192 || OS-WINDOWS Microsoft Windows Media Player directory traversal via
Content-Disposition attempt || bugtraq,7517 || cve,2003-0228 ||
3193 || SERVER-IIS .cmd executable file parsing attack || bugtraq,1912 ||
cve,2000-0886
3194 || SERVER-IIS .bat executable file parsing attack || bugtraq,1912 ||
cve,2000-0886
3195 || OS-WINDOWS name query overflow attempt TCP || bugtraq,9624 ||
cve,2003-0825 || nessus,15912 || url,technet.microsoft.com/enus/security/bulletin/ms04-006
3196 || OS-WINDOWS name query overflow attempt UDP || bugtraq,9624 ||
cve,2003-0825 || nessus,15912 || url,technet.microsoft.com/enus/security/bulletin/ms04-006
3199 || OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP
3200 || OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP
3201 || SERVER-IIS httpodbc.dll access - nimda || bugtraq,2708 ||
cve,2001-0333
3218 || OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt ||
bugtraq,1331 || cve,2000-0377 || url,technet.microsoft.com/enus/security/bulletin/ms00-040
3234 || OS-WINDOWS Messenger message little endian overflow attempt ||
bugtraq,8826 || cve,2003-0717
3235 || OS-WINDOWS Messenger message overflow attempt || bugtraq,8826 ||
cve,2003-0717
3238 || OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow
3239 || OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow
3273 || SQL sa brute force failed login unicode attempt || bugtraq,4797
|| cve,2000-1209 || nessus,10673
3274 || PROTOCOL-TELNET login buffer non-evasive overflow attempt ||
3397 || OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator
RemoteCreateInstance attempt || bugtraq,8205 || cve,2003-0352 ||
cve,2003-0715 || url,technet.microsoft.com/en-us/security/bulletin/MS03026 || url,technet.microsoft.com/en-us/security/bulletin/MS03-039
3398 || OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator
RemoteCreateInstance attempt || bugtraq,8205 || cve,2003-0352 ||
3409 || OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation
overflow attempt || bugtraq,8205 || cve,2003-0352 || cve,2003-0528 ||
3441 || PROTOCOL-FTP PORT bounce attempt || bugtraq,126 || cve,1999-0017
|| nessus,10081
3442 || OS-WINDOWS Microsoft Windows TCP print service overflow attempt
3453 || SERVER-OTHER Arkeia client backup system info probe ||

bugtraq,12594 || cve,2005-0491
3454 || SERVER-OTHER Arkeia client backup generic info probe ||
bugtraq,12594 || cve,2005-0491
3455 || SERVER-OTHER Bontago Game Server Nickname buffer overflow ||
bugtraq,12603 || cve,2005-0501 ||
url,aluigi.altervista.org/adv/bontagobof-adv.txt
3456 || SERVER-MYSQL 4.0 root login attempt
3457 || SERVER-OTHER Arkeia backup client type 77 overflow attempt ||
3458 || SERVER-OTHER Arkeia backup client type 84 overflow attempt ||
bugtraq,12594 || cve,2005-0491
3459 || PUA-P2P Manolito Search Query || url,openlito.sourceforge.net ||
url,www.blubster.com
3460 || PROTOCOL-FTP REST with numeric argument || bugtraq,7825
3461 || SERVER-MAIL Content-Type overflow attempt || bugtraq,44732 ||
3462 || BROWSER-IE Microsoft Internet Explorer Content-Encoding overflow
attempt || bugtraq,7419 || cve,2003-0113 || url,technet.microsoft.com/enus/security/bulletin/MS03-015
3463 || SERVER-WEBAPP awstats access || bugtraq,12572 || nessus,16456
3464 || SERVER-WEBAPP awstats.pl command execution attempt ||
16368 || MALWARE-CNC Win.Trojan.Hydraq variant outbound connection ||
url,www.virustotal.com/analisis/9051f618a5a8253a003167e65ce1311fa91a8b70d
438a384be48b02e73ba855c-1263878624
19964 || MALWARE-CNC Win.Trojan.Sality variant outbound connection ||
url,www.virustotal.com/file-scan/report.html?
id=982e0324c905311b88d59547f55c1dbba9b0568333827a699bb2f32adc6691001250921064
20080 || MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection ||
id=6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b01314630371 || url,www.virustotal.com/file-scan/report.html?
id=705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe1314630371
20221 || MALWARE-CNC Win.Trojan.Injector variant outbound connection ||
id=2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b21303397086
21230 || MALWARE-CNC Win.Trojan.Betad variant outbound connection ||
id=46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e91324042194
21246 || BLACKLIST User-Agent known malicious user-agent string DataCha0s
|| url,www.internetofficer.com/web-robot/datacha0s/
21255 || BLACKLIST known malicious FTP login banner - 0wns j0 ||
url,seclists.org/fulldisclosure/2004/Sep/895 || url,www.cyberta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behaviorsummary.html
21256 || BLACKLIST known malicious FTP quit banner - Goodbye happy
r00ting || url,taosecurity.blogspot.com/2006/01/nepenthes-discoveriesearlier-today-i.html
21257 || BLACKLIST URI - known scanner tool muieblackcat ||

url,serverfault.com/questions/309309/what-is-muieblackcat
21266 || BLACKLIST User-Agent known malicious user-agent string Morfeus
Scanner
21267 || POLICY-OTHER TRENDnet IP Camera anonymous access attempt ||
url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feellike.html || url,www.trendnet.com/press/view.asp?id=1958 ||
url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/
21327 || BLACKLIST User-Agent ASafaWeb Scan || url,asafaweb.com
21375 || SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde ||
cve,2012-0209 || url,dev.horde.org/h/jonah/stories/view.php?
channel_id=1&id=155 || url,eromang.zataz.com/2012/02/15/cve-2012-0209horde-backdoor-analysis/ || url,pastebin.com/U3ADiWrP
21417 || FILE-PDF hostile PDF associated with Laik exploit kit
21438 || EXPLOIT-KIT Blackhole exploit kit JavaScript carat string
splitting with hostile applet || cve,2006-0003 || cve,2007-5659 ||
cve,2008-0655 || cve,2008-2992 || cve,2009-0927 || cve,2010-1885 ||
cve,2011-0559 || cve,2011-2110 || cve,2011-3544 || cve,2012-0188 ||
cve,2012-0507 || cve,2012-1723 || cve,2012-1889 || cve,2012-4681 ||
url,community.websense.com/blogs/securitylabs/pages/black-hole-exploitkit.aspx
21442 || MALWARE-CNC URI request for known malicious URI - base64 encoded
|| url,www.damballa.com/tdl4/
21444 || MALWARE-CNC Win.Trojan.TDSS variant outbound connection ||
url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS ||
url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba
321dba6391b49fc757e/analysis/
21475 || BLACKLIST User-Agent known malicious user-agent string coreproject
21492 || EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch || cve,2006-0003 || cve,2007-5659 ||
cve,2008-0655 || cve,2008-2992 || cve,2009-0927 || cve,2010-1885 ||
cve,2011-0559 || cve,2011-2110 || cve,2011-3544 || cve,2012-0188 ||
cve,2012-0507 || cve,2012-1723 || cve,2012-1889 || cve,2012-4681 ||
21562 || MALWARE-CNC Win.Trojan.Bredolab variant outbound connection ||
url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31a
a86be253421f4c5c645/analysis/
21646 || EXPLOIT-KIT Blackhole exploit kit landing page with specific
structure - prototype catch || cve,2006-0003 || cve,2007-5659 ||
cve,2008-0655 || cve,2008-2992 || cve,2009-0927 || cve,2010-1885 ||
cve,2011-0559 || cve,2011-2110 || cve,2011-3544 || cve,2012-0188 ||
cve,2012-0507 || cve,2012-1723 || cve,2012-1889 || cve,2012-4681 ||
21818 || SERVER-WEBAPP System variable directory traversal attempt %ALLUSERSPROFILE%
21819 || SERVER-WEBAPP System variable directory traversal attempt %PROGRAMDATA%
21820 || SERVER-WEBAPP System variable directory traversal attempt %APPDATA%
21821 || SERVER-WEBAPP System variable directory traversal attempt %COMMONPROGRAMFILES%
21822 || SERVER-WEBAPP System variable directory traversal attempt %COMMONPROGRAMFILES - x86%

21823 || SERVER-WEBAPP System variable directory traversal attempt %COMSPEC%
21824 || SERVER-WEBAPP System variable directory traversal attempt %HOMEDRIVE%
21825 || SERVER-WEBAPP System variable directory traversal attempt %HOMEPATH%
21826 || SERVER-WEBAPP System variable directory traversal attempt %LOCALAPPDATA%
21827 || SERVER-WEBAPP System variable directory traversal attempt %PROGRAMFILES%
21828 || SERVER-WEBAPP System variable directory traversal attempt %PROGRAMFILES - X86%
21829 || SERVER-WEBAPP System variable directory traversal attempt %SystemDrive%
21830 || SERVER-WEBAPP System variable directory traversal attempt %SystemRoot%
21831 || SERVER-WEBAPP System variable directory traversal attempt %TEMP%
21832 || SERVER-WEBAPP System variable directory traversal attempt - %TMP
%
21833 || SERVER-WEBAPP System variable directory traversal attempt %USERDATA%
21834 || SERVER-WEBAPP System variable directory traversal attempt %USERNAME%
21835 || SERVER-WEBAPP System variable directory traversal attempt %USERPROFILE%
21836 || SERVER-WEBAPP System variable directory traversal attempt %WINDIR%
21837 || SERVER-WEBAPP System variable directory traversal attempt %PUBLIC%
21838 || SERVER-WEBAPP System variable directory traversal attempt %PSModulePath%
21839 || SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%
21840 || SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%
21841 || SERVER-WEBAPP System variable in URI attempt - %PATH%
21842 || SERVER-WEBAPP System variable in URI attempt - %PATHEXT%
21843 || SERVER-WEBAPP System variable in URI attempt - %PROMPT%
21844 || SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%
21845 || MALWARE-OTHER TDS Sutra - redirect received ||
url,wepawet.iseclab.org/view.php?
hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js ||
url,www.nartv.org/tag/tds/ || url,xylibox.blogspot.com/2011/12/sutra-tdsv34.html
21846 || MALWARE-CNC TDS Sutra - request in.cgi ||
21848 || MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS ||
21849 || MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS
|| url,wepawet.iseclab.org/view.php?
21850 || MALWARE-OTHER TDS Sutra - request hi.cgi ||
21851 || MALWARE-OTHER TDS Sutra - redirect received ||
22061 || MALWARE-OTHER Alureon - Malicious IFRAME load attempt
22063 || SERVER-WEBAPP PHP-CGI remote file include attempt || cve,20121823 || cve,2012-2311 || cve,2012-2335 || cve,2012-2336
22957 || BLACKLIST DNS request for known malware domain murik.portalprotection.net.ru - Mal/Rimecud-R || url,www.sophos.com/en-us/threatcenter/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailedanalysis.aspx
22958 || BLACKLIST DNS request for known malware domain
slade.safehousenumber.com - Mal/Rimecud-R || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Mal~RimecudR/detailed-analysis.aspx
world.rickstudio.ru - Mal/Rimecud-R || url,www.sophos.com/en-us/threatcenter/threat-analyses/viruses-and-spyware/Mal~Rimecud-R/detailedanalysis.aspx
portal.roomshowerbord.com - Mal/EncPk-ADU ||
url,www.threatexpert.com/report.aspx?md5=d3d6f87d8f8e3dd5c2793d5a1d3ca7ca
23179 || INDICATOR-COMPROMISE script before DOCTYPE possible malicious
redirect attempt
23481 || INDICATOR-OBFUSCATION hex escaped characters in setTimeout call
23482 || INDICATOR-OBFUSCATION hex escaped characters in addEventListener
call
23492 || MALWARE-CNC Win.Trojan.ZeroAccess outbound communication ||
url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407
d9a90703047e7db7ff9/analysis/
23621 || INDICATOR-OBFUSCATION known packer routine with secondary
obfuscation || url,dean.edwards.name/packer/
23636 || INDICATOR-OBFUSCATION JavaScript built-in function parseInt
appears obfuscated - likely packer or encoder ||
url,labs.snort.org/docs/23636.txt
24015 || MALWARE-CNC Win.Trojan.Magania variant outbound connection ||
url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-ipinkstats.html ||
url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a
6c77b9b0862be8bdb71/analysis/
24017 || MALWARE-OTHER Possible malicious redirect - rebots.php ||

url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-activelyinjected.html || url,labs.sucuri.net/db/malware/mwjs-include-rebots
24031 || BLACKLIST DNS request for known malware domain api.wipmania.com
- Troj.Dorkbot-AO || url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Troj~Dorkbot-AO/detailed-analysis.aspx
24032 || BLACKLIST DNS request for known malware domain lolcantpwnme.net
- W32.DorkBot-S || url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/W32~DorkBot-S/detailed-analysis.aspx
24033 || BLACKLIST DNS request for known malware domain rewt.ru W32.DorkBot-S || url,www.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/W32~DorkBot-S/detailed-analysis.aspx
jebena.ananikolic.su - Malware.HPsus/Palevo-B || url,www.sophos.com/enus/threat-center/threat-analyses/suspicious-behavior-andfiles/HPsus~Palevo-B/detailed-analysis.aspx
24225 || MALWARE-OTHER malicious redirection attempt ||
url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-javaexploit.html
24251 || OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control
channel traffic || url,blog.fortiguard.com/android-malware-distributedby-malicious-sms-in-france/
24253 || INDICATOR-COMPROMISE IP only webpage redirect attempt
24254 || INDICATOR-COMPROMISE IP only webpage redirect attempt
24265 || MALWARE-OTHER Malicious UA detected on non-standard port ||
url,anubis.iseclab.org/?
action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html
24598 || POLICY-SPAM 1.usa.gov URL in email, possible spam redirect ||
url,www.symantec.com/connect/blogs/spam-gov-urls
24885 || MALWARE-CNC Potential Banking Trojan Config File Download ||
url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0
cc1a55531cba3d0bd7f/analysis/
24886 || MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection ||
url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d2293947
8529702d193837c6cfe/analysis/
25050 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection
25054 || MALWARE-CNC ZeroAccess Clickserver callback
25119 || BLACKLIST User-Agent known malicious user agent - NewBrandTest
||
url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb5
5b82f07cfb97f62c4e1/analysis/
25224 || MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer
25256 || MALWARE-CNC Win.Worm.Gamarue variant outbound connection
25257 || MALWARE-CNC Win.Trojan.Skintrim variant outbound connection ||
url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52
ad48ebe6304edff95e2/analysis/1357239259/
25258 || MALWARE-CNC Win.Trojan.Rombrast variant outbound connection ||
url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca
221757b791a5006894d/analysis/
25259 || MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection
||
url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154
f515e403b54d72efff6/analysis/1357138873/
25269 || MALWARE-CNC Win.Trojan.Buterat variant outbound connection ||

url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090
729062d700fe74553e5/analysis/
25271 || MALWARE-CNC Win.Trojan.Buzus variant outbound connection
25277 || MALWARE-OTHER Request for a non-legit postal receipt ||
url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string
25471 || MALWARE-CNC Pushdo Spiral Traffic ||
url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalwar
e.conf
25503 || MALWARE-CNC Necurs Rootkit sba.cgi ||
url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1
c8e054e22d1aff4c673/analysis/
25504 || MALWARE-CNC Necurs Rootkit op.cgi ||
url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1
c8e054e22d1aff4c673/analysis/
25511 || MALWARE-CNC Win.Trojan.Symmi variant outbound connection ||
url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d6
5848216b61efd916ec1/analysis/
25518 || OS-MOBILE Apple iPod User-Agent detected
25519 || OS-MOBILE Apple iPad User-Agent detected
25520 || OS-MOBILE Apple iPhone User-Agent detected
25521 || OS-MOBILE Android User-Agent detected
25522 || OS-MOBILE Nokia User-Agent detected
25523 || OS-MOBILE Samsung User-Agent detected
25524 || OS-MOBILE Kindle User-Agent detected
25525 || OS-OTHER Nintendo User-Agent detected
25577 || MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST
||
url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477a
d42e392fe3711170319/analysis/
25578 || MALWARE-OTHER Fake postal receipt HTTP Response phishing attack
|| url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-0103&end=2013-01-18&max=50
25579 || MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack ||
url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-0103&end=2013-01-18&max=50
25580 || MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack
25627 || MALWARE-CNC Win.Trojan.Reventon variant outbound communication
||
url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3c
d503589bbc59daf81eb/analysis/
25652 || MALWARE-CNC Win.Trojan.Kryptic variant outbound connection ||
url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872
e845155341cc30a5db5/analysis/
25660 || MALWARE-CNC Win.Trojan.Medfos variant outbound connection ||
url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
Name=Trojan:JS/Medfos.B
25675 || MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection ||
url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c
9c5a98170644374f64f/analysis/
25765 || MALWARE-CNC Trojan Agent YEH variant outbound connection ||

url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-andspyware/Troj~Agent-YEH/detailed-analysis.aspx
25766 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection ||
url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?
Name=Win32%2fBancos
25807 || MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound
communication || url,www.botnets.fr/index.php/Urausy
25829 || MALWARE-CNC Trojan Banker FTC variant outbound connection ||
url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-andspyware/Troj~Banker-FTC/detailed-analysis.aspx
25854 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7
No Referer No Cookie || url,en.wikipedia.org/wiki/Zeus_(Trojan_horse)
25946 || BLACKLIST DNS request for known malware domain 24131192124.com Win.Trojan.Chebri.C ||
Name=Trojan%3AWin32%2FChebri.C
25947 || APP-DETECT Ammyy remote access tool || url,www.ammyy.com
25948 || EXPLOIT-KIT redirection to driveby download
25949 || MALWARE-CNC GzWaaa outbound data connection ||
url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d3617469
95767071789cc3fa24d2cc/analysis/1361822708/
26020 || EXPLOIT-KIT Sibhost exploit kit ||
url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost
26023 || MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection
|| url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231
26024 || MALWARE-CNC Win.Trojan.Wecod variant outbound connection ||
url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6
319d430cd4faed5241f362/analysis/
26075 || MALWARE-CNC Bancos variant outbound connection SQL query POST
data ||
url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730ed
cd5280e0248d11306a645d/analysis/
26203 || MALWARE-CNC Win.Trojan.Gupd variant outbound connection ||
url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC
25499C329DBDCBB00F2AF0/analysis/
26211 || MALWARE-CNC Win.Trojan.Eldorado variant outbound connection ||
url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c
04edde46084d9672d0f20f/analysis/1363359002/
26212 || MALWARE-CNC Win.Trojan.Proxyier variant outbound connection
26261 || MALWARE-OTHER Fake postal receipt HTTP Response phishing attack
26264 || MALWARE-CNC Dapato banking Trojan variant outbound connection ||
url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003
f76d1f452ba7cb6e2d20d4/analysis/1364314446/
26265 || BLACKLIST DNS request for known malware domain mercury.yori.pl Kazy Trojan ||
url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9
d36f9ddf5e45e744a9e320/analysis/
26286 || APP-DETECT Absolute Software Computrace outbound connection search.dnssearch.org ||
url,absolute.com/support/consumer/technology_computrace ||
url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-OrtegaDeactivateRootkit-PAPER.pdf
26287 || APP-DETECT Absolute Software Computrace outbound connection search.namequery.com ||
26288 || MALWARE-CNC Brontok Worm variant outbound connection ||
url,www.securelist.com/en/descriptions/10286064/EmailWorm.Win32.Brontok.rf?print_mode=1
26289 || MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port ||
url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e7
4bcc1c43f8050242d53/analysis/1359999907/
26319 || MALWARE-CNC file path used as User-Agent - potential Trojan ||
url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b8
4708a355f7c46b358fa375/analysis/
26325 || MALWARE-CNC Win.Trojan.Scar variant outbound connection ||
url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5
704c8174944ee8b901abec/analysis/
26327 || MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection ||
url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATI
ON/23000%2FPD23747/en_US/Threat_Advisory_OSX_Flashfake.pdf
26335 || MALWARE-CNC FBI Ransom Trojan variant outbound connection
26370 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection ksa.txt ||
url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0b
a99f41551ca59374c6a3ec/analysis/1365436849/
26371 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op
POST ||
26380 || MALWARE-OTHER UTF-8 BOM in zip file attachment detected ||
url,blogs.mcafee.com/mcafee-labs/phishing-threat-uses-utf-8-bom-in-zipsignature-to-evade-detection
26395 || APP-DETECT Ufasoft bitcoin miner possible data upload ||
url,ufasoft.com/open/bitcoin/
suppp.cantvenlinea.biz - Bitcoin Miner upload
26398 || MALWARE-CNC Win.Trojan.Gamarue variant outbound connection ||
url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf484
75272df5b60edf556e4299/analysis/
26399 || BLACKLIST DNS request for known malware domain f.eastmoon.pl Win.Trojan.Dorkbot
26400 || BLACKLIST DNS request for known malware domain s.richlab.pl Win.Trojan.Dorkbot
26401 || BLACKLIST DNS request for known malware domain gigasbh.org Win.Trojan.Dorkbot
26402 || BLACKLIST DNS request for known malware domain xixbh.com Win.Trojan.Dorkbot
26403 || BLACKLIST DNS request for known malware domain h.opennews.su Win.Trojan.Dorkbot
26404 || BLACKLIST DNS request for known malware domain o.dailyradio.su Win.Trojan.Dorkbot
26405 || BLACKLIST DNS request for known malware domain xixbh.net Win.Trojan.Dorkbot
26406 || BLACKLIST DNS request for known malware domain photobeat.su Win.Trojan.Dorkbot
26407 || BLACKLIST DNS request for known malware domain uranus.kei.su Win.Trojan.Dorkbot
26408 || BLACKLIST DNS request for known malware domain gigasphere.su Win.Trojan.Dorkbot
26409 || BLACKLIST DNS request for known malware domain ext.myshopers.com
- Win.Trojan.Dorkbot
26410 || INDICATOR-COMPROMISE IP address check to j.maxmind.com detected
26411 || MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt
SMB
26412 || MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation
attempt SMB
26413 || MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation
attempt SMB
26467 || MALWARE-CNC Win.Trojan.Magic variant inbound connection ||
url,www.seculert.com/blog/2013/04/magic-persistent-threat.html
26468 || SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header
injection on blobheadername2 attempt || cve,2013-1509 ||
url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
26469 || SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header
injection on blobheadername2 attempt || cve,2013-1509 ||
url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
26470 || MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP
Response - potential malware download ||
url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef66658
1ef1385c628233614b22c0/analysis/
26480 || MALWARE-CNC Win.Trojan.Zbot fake PNG config file download
without User-Agent
26482 || MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C ||
url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen
%20desc&review=95.57.120.111
26483 || SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS
attempt || url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-fieldxss-attacks.html
26522 || BLACKLIST User-Agent known malicious user agent NOKIAN95/WEB ||
url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attackcampaign-hides-behind-ssl-communication/
26526 || EXPLOIT-KIT Portable Executable downloaded with bad DOS stub ||
cve,2013-2423 || url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423via-new-and-improved-cool-ek/
26528 || INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt ||
url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-basedservers.html ||
url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd
53b174481d540070c6/analysis/
26533 || MALWARE-CNC Unknown malware - Incorrect headers - Referer

HTTP/1.0
26553 || PUA-ADWARE Win.Adware.BProtector browser hijacker dll list
download attempt
d1js21szq85hyn.cloudfront.net - Win.Adware.BProtector
xxxxxxxxxxxxxxx.kei.su - Win.Trojan.Dorkbot
26556 || BLACKLIST DNS request for known malware domain f.dailyradio.su Win.Trojan.Dorkbot
26558 || BLACKLIST User-Agent known Malicious user agent Brutus AET ||
url,sectools.org/tool/brutus
26560 || MALWARE-CNC Win.Trojan.Bancos variant outbound connection getcomando POST data ||
url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983
923d0888c8b80661f25e44/analysis/1367267173/
26562 || EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .comrequests
26563 || MALWARE-CNC Harakit botnet traffic ||
url,www.symantec.com/security_response/attacksignatures/detail.jsp?
asid=23239 ||
url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910
c28c4358367e10723ba21f/analysis/
26576 || MALWARE-CNC Potential hostile executable served from compromised
or malicious WordPress site || url,blog.avast.com/2013/05/03/regents-oflouisiana-spreading-s irefef-malware
26577 || BLACKLIST User-Agent known malicious user agent Opera 10 ||
url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefefmalware || url,dev.opera.com/articles/view/opera-ua-string-changes
26578 || MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent
||
url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775
350c9a30ebaf9a05097a0f/analysis/1367713929/
26579 || MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent
||
url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775
350c9a30ebaf9a05097a0f/analysis/1367713929/
www.elitemarketingworld.net - Cosmu Trojan || url,camas.comodo.com/cgibin/submit?
file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc
www.rsakillerforever.name - Cosmu Trojan || url,camas.comodo.com/cgibin/submit?
www.allamericanservices.name - Cosmu Trojan || url,camas.comodo.com/cgibin/submit?
msnsolution.nicaze.net - Genome Trojan || url,camas.comodo.com/cgibin/submit?
file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44 ||
url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270
900956d30658e1dcec4b44/analysis/1367863560/
26585 || INDICATOR-COMPROMISE config.inc.php in iframe ||
url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploitkit-following-the-cookie-trail.html
theimageparlour.net - Vobfus worm ||
url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85
e186d66338399305e594d4/analysis/
ppcfeedadvertising.com
26613 || MALWARE-CNC Medfos Trojan variant outbound connection ||
url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56
796306842c7b50b553ae11/analysis/
26614 || BLACKLIST DNS request for known malware domain ppcfeedclick.com
26654 || BLACKLIST DNS request for known malware domain www2.x3x4.su backdoor trojan ||
url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b9
7f49ecb22f86531fb0b7de/analysis/
26655 || MALWARE-BACKDOOR Win.Backdoor.PCRat data upload ||
url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA092
30DC285AE66CA0C9B7247B/analysis/
26656 || MALWARE-CNC Win.Trojan.Travnet Botnet data upload ||
url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC1
0D96CA51ECF9CF227B94E8/analysis/
26657 || MALWARE-CNC Win.Trojan.Shiz variant outbound connection ||
url,camas.comodo.com/cgi-bin/submit?
file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6 ||
url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb652
8fca61227b22681ac838e6/analysis/1368563326/
26658 || BROWSER-WEBKIT Possible Google Chrome Plugin install from nontrusted source ||
url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extensionhijacks-facebook-profiles.aspx
26659 || BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from
non-Mozilla source || url,research.zscaler.com/2012/09/how-to-installsilently-malicious.html
26660 || MALWARE-OTHER Fake delivery information phishing attack
26695 || MALWARE-CNC Win.Trojan.Namihno variant outbound request
26696 || MALWARE-CNC Cbeplay Ransomware variant outbound connection Abnormal HTTP Headers || url,malware.dontneedcoffee.com/2013/02/cbeplaypnow-target-australia-and-moved.html
26697 || MALWARE-CNC Cbeplay Ransomware variant outbound connection POST Body || url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-targetaustralia-and-moved.html
26698 || MALWARE-OTHER Compromised Website response - leads to Exploit
Kit || url,www.jsunpack.jeek.org/?
report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f
26712 || MALWARE-CNC Kazy Trojan check-in || url,camas.comodo.com/cgibin/submit?
file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157
26713 || MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic ||
url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-indelphi

26718 || BLACKLIST DNS request for known malware domain - Backdoor Rbot
||
url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea
9bde8d043ee6481a4d8431/analysis/1369236935/
26719 || MALWARE-CNC Win.Trojan.Kbot variant outbound connection ||
url,blog.avast.com/2013/05/22/grum-lives/
26720 || MALWARE-CNC Win.Trojan.Kbot variant outbound connection ||
url,blog.avast.com/2013/05/22/grum-lives/
26722 || MALWARE-CNC Bancos fake JPG encrypted config file download
26723 || MALWARE-CNC Trojan Downloader7 ||
url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html
26725 || MALWARE-CNC Win.Trojan.BlackRev cnc http command ||
26726 || MALWARE-CNC Win.Trojan.BlackRev cnc stop command ||
26727 || MALWARE-CNC Win.Trojan.BlackRev cnc die command ||
26728 || MALWARE-CNC Win.Trojan.BlackRev cnc sleep command ||
26729 || MALWARE-CNC Win.Trojan.BlackRev cnc simple command ||
26730 || MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command ||
26731 || MALWARE-CNC Win.Trojan.BlackRev cnc datapost command ||
26732 || MALWARE-CNC Win.Trojan.BlackRev cnc syn command ||
26733 || MALWARE-CNC Win.Trojan.BlackRev cnc udp command ||
26734 || MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command ||
26735 || MALWARE-CNC Win.Trojan.BlackRev cnc data command ||
26736 || MALWARE-CNC Win.Trojan.BlackRev cnc icmp command ||
26737 || MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command ||

26738 || MALWARE-CNC Win.Trojan.BlackRev cnc dataget command ||
26739 || MALWARE-CNC Win.Trojan.BlackRev cnc connect command ||
26740 || MALWARE-CNC Win.Trojan.BlackRev cnc dns command ||
26741 || MALWARE-CNC Win.Trojan.BlackRev cnc exec command ||
26742 || MALWARE-CNC Win.Trojan.BlackRev cnc resolve command ||
26743 || MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command ||
26744 || MALWARE-CNC Win.Trojan.BlackRev cnc range command ||
26745 || MALWARE-CNC Win.Trojan.BlackRev cnc ftp command ||
26746 || MALWARE-CNC Win.Trojan.BlackRev cnc download command ||
26747 || MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command ||
26748 || MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command ||
26749 || MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command ||
26750 || MALWARE-CNC Win.Trojan.BlackRev cnc full command ||
26774 || MALWARE-CNC Win.Worm.Luder variant outbound connection ||
url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76
ee071b051970971212bae8/analysis/
26775 || MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP
Header Structure ||
url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600c
bb6967ef41dfed255f2009/analysis/
26776 || MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST
||
url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600c
bb6967ef41dfed255f2009/analysis/
26779 || MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in ||

url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5
a14b862b09045c36aa7524/analysis/1369942427/
26780 || MALWARE-CNC cridex HTTP Response - default0.js ||
a14b862b09045c36aa7524/analysis/1369942427/
26781 || BLACKLIST DNS request for known malware domain vseforyou.ru Cridex Trojan ||
a14b862b09045c36aa7524/analysis/1369942427/
26782 || BLACKLIST DNS request for known malware domain commorgan.ru Cridex Trojan ||
a14b862b09045c36aa7524/analysis/1369942427/
26811 || MALWARE-CNC XP Fake Antivirus Payment Page Request ||
file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8
26812 || MALWARE-CNC XP Fake Antivirus Check-in ||
file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8
26814 || EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In
Mailing Campaign
26834 || EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64
uri || cve,2010-0188 || cve,2012-0422 || cve,2012-0431 || cve,2012-0607
|| cve,2012-1723 || cve,2012-4681 || cve,2012-5076 || cve,2013-2423
26835 || MALWARE-CNC RDN Banker POST variant outbound connection ||
url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b
5a61556470c58b15af3b26/analysis/1369251144/
26836 || MALWARE-CNC RDN Banker Strange Google Traffic ||
url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b
5a61556470c58b15af3b26/analysis/1369251144/
26837 || MALWARE-CNC BitBot Idle C2 response ||
url,blogs.mcafee.com/mcafee-labs/delving-deeply-into-a-bitcoin-botnet
26838 || EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay
Mailing Campaign
26839 || MALWARE-CNC Win.Trojan.Zeus P2P-proxy C2 Write command ||
url,www.cert.pl/PDF/2013-06-p2p-rap_en.pdf
26842 || MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin
26910 || MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers
26911 || MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication ||
url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d3
31c3889e9d2764fe2bcf14/analysis/
26912 || MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication ||
www.silobiancer.com - Win.Trojan.Rombrast Trojan ||
26914 || BLACKLIST DNS request for known malware domain goliyonzo.pw BackDoor Comet || url,mwanalysis.org/?
page=report&analysisid=2156196&password=gtrcgbtwhh ||
url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bd
cadf9763386ad92fcc2654/analysis/
26915 || BLACKLIST DNS request for known malware domain zalil.ru - Kazy
Trojan || url,mwanalysis.org/?
page=report&analysisid=2156195&password=ykndnbluja ||
url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a92
8dcaada0348b08db2d1f94/analysis/
26916 || BLACKLIST DNS request for known malware domain soywey.sin-ip.es
- Palevo Botnet ||
url,www.virustotal.com/en/file/218bf5badb5658d06b14d376c92834622b6a171dde
9fa8dded755d9fd54c4dae/analysis/
bigmack.opendns.be - Palevo Botnet ||
url,www.mywot.com/en/scorecard/bigmack.opendns.be?page=3
trafficconverter.biz - ChronoPay ||
url,krebsonsecurity.com/2011/03/chronopays-scareware-diaries/#more-8331
kjwre9fqwieluoi.info - W32.Sality ||
url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a
kukutrustnet777.info - W32.Sality ||
url,www.threatexpert.com/report.aspx?md5=7abf56a5fbced892d2bdbe1fcbff233a
26924 || MALWARE-CNC Potential Gozi Trojan HTTP Header Structure
26925 || SQL generic convert injection attempt - GET parameter ||
url,www.securiteam.com/securityreviews/5DP0N1P76E.html
26947 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java
exploit download || cve,2013-2423 ||
url,www.basemont.com/new_exploit_kit_june_2013
26948 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java
exploit download || cve,2013-1493 ||
url,www.basemont.com/new_exploit_kit_june_2013
26949 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page
|| url,www.basemont.com/new_exploit_kit_june_2013
26950 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess
download attempt || cve,2013-1493 || cve,2013-2423 ||
url,www.basemont.com/new_exploit_kit_june_2013 ||
url,www.malwaresigs.com/2013/06/14/dotcachef/
26951 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising
Campaign URI request ||
url,research.zscaler.com/2013/06/openxadvertisingcom-massmalvertising.html
26965 || MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2 ||
url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured
26966 || MALWARE-CNC Win32/Autorun.JN variant outbound connection ||
url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?
Name=Worm%3AWin32%2FAutorun.JN ||
url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29e
a3d7424dd9f400af2c0f06/analysis/
26968 || MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data ||
url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac
12899c860d99bf563e883a/analysis/
26969 || MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL ||
26970 || MALWARE-CNC Win.Trojan.Pirminay variant outbound connection ||

url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a
62e4678321f9a8057c3307/analysis/
26971 || BLACKLIST DNS request for known malware domain fasternation.net
- Win.Trojan.Pirminay ||
url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a
62e4678321f9a8057c3307/analysis/
26984 || MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant
outbound connection ||
url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD02
46F17BC921E3ADB7F36F42/analysis/
26985 || EXPLOIT-KIT Rawin exploit kit outbound java retrieval
27017 || MALWARE-CNC Win.Trojan.Dapato variant inbound response
connection ||
url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b649276
3f9dc5a20a84f4da46932a/analysis/
27039 || MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound
connection ||
url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39
_Eng.pdf
27040 || EXPLOIT-KIT Styx exploit kit plugin detection connection jorg ||
cve,2007-5659 || cve,2008-0655 || cve,2011-3544 || cve,2012-0507 ||
cve,2012-1723 || cve,2012-4681 || cve,2012-4969 || cve,2013-0422 ||
cve,2013-2423
27041 || EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp ||
cve,2007-5659 || cve,2008-0655 || cve,2011-3544 || cve,2012-0507 ||
cve,2012-1723 || cve,2012-4681 || cve,2012-4969 || cve,2013-0422 ||
cve,2013-2423
27042 || EXPLOIT-KIT Styx exploit kit plugin detection connection jovf ||
cve,2007-5659 || cve,2008-0655 || cve,2011-3544 || cve,2012-0507 ||
cve,2012-1723 || cve,2012-4681 || cve,2012-4969 || cve,2013-0422 ||
cve,2013-2423
27043 || BLACKLIST DNS request for known malware domain memo-stat.com Htbot ||
url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/ ||
url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832f
a7b93c15cf4f426aa3f0a7/analysis/
27044 || BLACKLIST User-Agent known malicious user-agent string pb Htbot ||
url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/ ||
url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832f
a7b93c15cf4f426aa3f0a7/analysis/
27045 || MALWARE-CNC Win.Trojan.Blocker Download ||
url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853
669a72a10b2c2232008582/analysis/1372086855/
27047 || INDICATOR-COMPROMISE Unknown ?1 redirect
27085 || EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar
pipe.class
27086 || EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect
27113 || EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess
download attempt || cve,2013-1493 || cve,2013-2423 ||
url,www.basemont.com/new_exploit_kit_june_2013 ||
url,www.malwaresigs.com/2013/06/14/dotcachef/
27144 || EXPLOIT-KIT Private exploit kit outbound traffic || cve,20060003 || cve,2010-0188 || cve,2011-3544 || cve,2013-1347 || cve,2013-1493
|| cve,2013-2423 || url,malwageddon.blogspot.com/2013/07/unknown-ek-wellhey-hey-i-wanna-be.html || url,malware.dontneedcoffee.com/2013/07/pepnew-bep.html || url,www.malwaresigs.com/2013/07/03/another-unknown-ek
27146 || BLACKLIST DNS request for known malware domain scari-elegante.ro
- Yakes Trojan ||
url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c987
35814834334ccc03e4da3c/analysis/
myharlemshake.info - MSIL Trojan || url,mwanalysis.org/?
page=report&analysisid=2178740&password=nxbjmzykzt ||
url,www.virustotal.com/en/file/16534fea6ec534249b0a14a497f82f5c7b4b8f2b00
5e965c24816365ce062318/analysis/
27180 || BLACKLIST DNS request for known malware domain twinkcam.net W32/Kryptik || url,threatpost.com/nsa-whistleblower-article-redirects-tomalware ||
url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899
638f4318c09eaa56401821/analysis/1373466967/
27181 || BLACKLIST DNS request for known malware domain cinnamyn.com W32/Kryptik || url,threatpost.com/nsa-whistleblower-article-redirects-tomalware ||
638f4318c09eaa56401821/analysis/1373466967/
27199 || MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET
Request ||
url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/
27200 || MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST
Request ||
url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a
5682478dbcd0518172302c/analysis/1373576492/
27201 || MALWARE-CNC Win.Trojan.Neurevt variant outbound communication
27203 || INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2
traffic || url,blog.sucuri.net/2013/06/apache-php-injection-tojavascript-files.html
27204 || MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser
Proxy Autoconfig File
27246 || MALWARE-OTHER Mac OSX FBI ransomware ||
url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-nowtargeting-apples-mac-os-x-users/
27247 || BLACKLIST DNS request for known malware domain restless.su Gamarue Trojan ||
url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e
8b3a4194f7d248f15ca515/analysis/
27248 || MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent ||
url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e
8b3a4194f7d248f15ca515/analysis/
27252 || MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound
connection
27253 || MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern ||
url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e
6751621f921ca53cc7e421/analysis/
27254 || MALWARE-CNC Yakes Trojan HTTP Header Structure ||

27255 || INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally
ordered HTTP headers - Potential Yakes Trojan Download ||
27256 || MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware ||
url,threatpost.com/nsa-whistleblower-article-redirects-to-malware ||
638f4318c09eaa56401821/analysis/1373466967/
27257 || MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox
Headers - no Accept-Language ||
url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b9
5f9eaf113ecd84fa452944/analysis/1374505566/
27533 || MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg ||
url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526
d4846916805387fb9c5bb2/analysis/
27534 || BLACKLIST DNS request for known malware domain claimcrazy.us Win.Kraziomel Trojan ||
27535 || BLACKLIST DNS request for known malware domain mainenbha.com Win.Kraziomel Trojan ||
27537 || BLACKLIST DNS request for known malware domain ohtheigh.cc Foreign-R Trojan || url,secure2.sophos.com/en-us/threat-center/threatanalyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx ||
url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b
4415da433833b8dae27b63/analysis/1374765802/
27538 || MALWARE-OTHER self-signed SSL certificate with default MyCompany
Ltd organization name || url,en.wikipedia.org/wiki/Selfsigned_certificate || url,security.ncsa.illinois.edu/research/gridhowtos/usefulopenssl.html
27565 || MALWARE-OTHER HideMeBetter spam injection variant ||
url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html
27567 || MALWARE-CNC Win.Trojan.Rovnix malicious download request ||
url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap ||
url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvixprivate-tcp-ip-stacks.aspx
27596 || MALWARE-CNC Win.Trojan.Redyms variant outbound connection ||
url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2
c3f2816e041e37769137a4/analysis/1375189147/
27599 || MALWARE-CNC Fort Disco Registration variant outbound connection
|| url,www.net-security.org/secworld.php?id=15370
documents.myPicture.info ||
url,fireeye.com/blog/technical/2013/08/survival-of-the-fittest-new-yorktimes-attackers-evolve-quickly.html
ftp.documents.myPicture.info ||
27627 || BLACKLIST DNS request for known malware domain info.xxuz.com ||

www.documents.myPicture.info ||
27629 || MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection ||
27632 || BLACKLIST DNS request for known malware domain hidatabase.cn Worm.Silly ||
url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba3022
62d0a9b0d2832718a93524/analysis/
27633 || MALWARE-CNC Worm.Silly variant outbound connection ||
url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba3022
62d0a9b0d2832718a93524/analysis/
27648 || MALWARE-CNC Win.Trojan.SpyBanker.ZSL variant outbound connection
||
url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a4
2634a793e27c9533d335b1/analysis/1375811416/
27649 || MALWARE-CNC Brazilian Banking Trojan data theft
27680 || MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection
27707 || BLACKLIST DNS request for known malware domain www.wolfvr.com ||
url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595
d72b722eab92d1aca9ede3/analysis/1376847283/
27708 || MALWARE-CNC Win.Ransomware.Urausy outbound connection ||
url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595
d72b722eab92d1aca9ede3/analysis/1376847283/
27726 || MALWARE-CNC Orbit Downloader denial of service update ||
url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-apopular-file-downloading-tool
27774 || MALWARE-CNC RDN Banker Data Exfiltration
27775 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection
27801 || BLACKLIST DNS request for known malware domain sectempus.biz Win.Trojan.PRISM ||
url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53f
ddc0dc153f1034d3c52c58/analysis/1377785686/
27802 || MALWARE-CNC Win.Trojan.PRISM variant outbound connection ||

27805 || MALWARE-CNC Win.Trojan.Bisonha variant outbound connection ||
url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20SummitEspionage-Operation ||
url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119
338e4fac21568e0bb70ab7/analysis/
27865 || EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page
request || cve,2012-1889 || cve,2012-4681
27866 || EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page
27899 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering
attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-withsnort.html
27900 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential
user or password guessing attempt ||
url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html
27901 || PROTOCOL-VOIP Ghost call attack attempt ||
27902 || PROTOCOL-VOIP Possible SIP OPTIONS service information gathering
attempt || url,blog.sipvicious.org/2008/02/detecting-sip-attacks-withsnort.html
27903 || PROTOCOL-VOIP Ghost call attack attempt ||
27904 || PROTOCOL-VOIP Excessive number of SIP 4xx responses potential
user or password guessing attempt ||
27907 || EXPLOIT-KIT Blackholev2/Cool exploit kit payload download
attempt
27913 || PUA-ADWARE Vittalia adware - get ads ||
url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f74
2a16216c2f06cf3b5afd50/analysis/1378700802/
27914 || PUA-ADWARE Vittalia adware - post install ||
27915 || PUA-ADWARE Vittalia adware outbound connection - pre install ||
27916 || PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar
install ||
27917 || PUA-TOOLBARS Vittalia adware outbound connection - offers ||
27918 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection ||
url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb
92f91ffd46cfdcaba9ac00/analysis/
27919 || MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration ||
url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb
92f91ffd46cfdcaba9ac00/analysis/
27964 || MALWARE-CNC Win.Trojan.Gh0st variant outbound connection ||

url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f
78ad2b11816e1f9a59/analysis/1425053730/
27965 || MALWARE-CNC Win.Trojan.Eupuds variant connection ||
url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71
321301751008dab75ded4d/analysis/
27966 || MALWARE-CNC Win.Backdoor.Chopper web shell connection ||
url,informationonsecurity.blogspot.com/2012/11/china-chopperwebshell.html || url,www.fireeye.com/blog/technical/botnet-activitiesresearch/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html ||
url,www.fireeye.com/blog/technical/botnet-activitiesresearch/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html
||
url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41B
EC74416B8AE363FB07FD77/analysis/
||
||
28005 || MALWARE-CNC Win.Trojan.Kuluoz outbound command ||
url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa2
0ac5f5e897feac8d86755a/analysis/
28006 || MALWARE-OTHER Win.Trojan.Kuluoz outbound download request ||
url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushionattempt-to.html
28007 || MALWARE-CNC BLYPT installer startupkey outbound traffic ||
url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-newbackdoor-family-installed-via-java-exploit
28008 || MALWARE-CNC BLYPT installer reuse outbound traffic ||
28009 || MALWARE-CNC BLYPT installer configkey outbound traffic ||
28010 || MALWARE-CNC BLYPT installer tserror outbound traffic ||
28011 || MALWARE-CNC BLYPT installer createproc outbound traffic ||

28026 || EXPLOIT-KIT Blackholev2 exploit kit landing page
28028 || EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download
attempt
28033 || MALWARE-CNC Win.Ransomware.Urausy variant outbound connection ||
url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc
8550de7924f77f2a612941/analysis/1378636986/
heftyzonealarm.info - Win.Ransomware.Urausy ||
8550de7924f77f2a612941/analysis/1378636986/
blackicemaccom.biz - Win.Ransomware.Urausy ||
8550de7924f77f2a612941/analysis/1378636986/
28036 || BLACKLIST DNS request for known malware domain lealemon.xxuz.com
- Win.Ransomware.Urausy ||
8550de7924f77f2a612941/analysis/1378636986/
28042 || MALWARE-CNC Win.Trojan.Caphaw variant outbound connection ||
url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html
28044 || MALWARE-CNC Win.Trojan.CryptoLocker variant connection ||
url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a5
85689618dde3f4c6fcb101/analysis
28079 || MALWARE-CNC Win.Trojan.Napolar variant outbound connection ||
url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d
64e4f0a6656b9d28941e2e/analysis/
28080 || MALWARE-CNC Win.Trojan.Napolar data theft ||
url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236
f7a961e85f3af5e2275ddf/analysis/
28105 || MALWARE-CNC Win.Trojan.Banload variant outbound connection ||
url,www.nyxbone.com/malware/banload.html
28106 || MALWARE-CNC Win.Trojan.Banload information upload ||
28107 || MALWARE-CNC Win.Trojan.Banload download ||
28114 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /default.htm GET Encrypted Payload ||
url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb
22be776bac6930b00fae49/analysis/
28115 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /file.htm GET Encrypted Payload ||
28116 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /home.htm GET Encrypted Payload ||
28117 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /install.htm GET Encrypted Payload ||
28118 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /login.htm GET Encrypted Payload ||
28119 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /search.htm GET Encrypted Payload ||
28120 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /start.htm GET Encrypted Payload ||
28121 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /welcome.htm GET Encrypted Payload ||
28122 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /index.htm GET Encrypted Payload ||
28123 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /setup.htm GET Encrypted Payload ||
28147 || MALWARE-CNC Win.Trojan.Conficker variant connection ||
url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4
d3824559c81a50999cc2a5/analysis/
28148 || MALWARE-CNC Win.Trojan.Mevade variant outbound connection ||
url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b69
6b6a06889ed52751b39f54/analysis/
kievandmoskaustt.in ||
url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf2342
9d9735c7258d43c101b71f/analysis/
28153 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection /html2/ ||
28154 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection MSIE 7.1 ||
28155 || MALWARE-CNC Win.Trojan.Foreign variant outbound connection MSIE 7.2 ||
28156 || PUA-ADWARE Linkury outbound time check ||
url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed
4adfb28ad1a308a0d1bade/analysis/1380219003/
28192 || MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL ||
url,urlquery.net/report.php?id=5117077 ||
url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-webservers/
28193 || BLACKLIST DNS request for known malware domain- Win.Vobfus worm
variant ||
url,www.virustotal.com/en/file/451318847bae50e855299a1878d9cbd74e7467bfff
8df396e886732254fc3ade/analysis/1380827494/
28215 || SERVER-WEBAPP vBulletin upgrade.php exploit attempt ||
url,www.net-security.org/secworld.php?id=15743
28233 || EXPLOIT-KIT Blackholev2/Cool exploit kit payload download
attempt
28242 || MALWARE-CNC Win.Trojan.KanKan variant connection ||
url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a291256613
0ea512b25639b3f95e94c4/analysis/
28255 || MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL ||
url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=201310-01&end=2013-10-16&max=50 ||
url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea31
74ea9d4398ad2048205c42/analysis/
28285 || MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2 ||
url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c
05af1d9ea768ef992cb489/analysis/1381870348/ ||
85689618dde3f4c6fcb101/analysis/
28291 || EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download
attempt
28293 || BLACKLIST DNS request www.xiaopijia.com - Backdoor.Yaddos ||
url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916
683db4a8fa0e9c6ee512d7/analysis/
28294 || BLACKLIST DNS request www.akwm139.com - Backdoor.Yaddos ||
28295 || BLACKLIST DNS request www.1860tour.com - Backdoor.Yaddos ||
28296 || BLACKLIST DNS request ghjgf.info - Backdoor.Yaddos ||
28297 || BLACKLIST DNS request for known malware domain handjobheats.com
- Win.Trojan.Injector ||
url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD02
46F17BC921E3ADB7F36F42/analysis/
28300 || MALWARE-CNC Win.Trojan.Agent variant connection ||
url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee
3524983ec6962b4061813c/analysis/1381409595/
||
28324 || PUA-ADWARE FakeAV runtime detection
28344 || INDICATOR-OBFUSCATION large number of calls to chr function possible sql injection obfuscation || url,isc.sans.org/diary.html?
storyid=3823
28345 || INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in
IFRAMEr Tool attack
28346 || INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr
Tool attack
28404 || BLACKLIST DNS request for known malware domain goobzo.com - Kazy
Trojan ||
url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e56941238
8084f5c391722c98660763/analysis/
28405 || MALWARE-CNC Win.Trojan.Kazy variant outbound connection ||
8084f5c391722c98660763/analysis/
28406 || MALWARE-CNC Win.Trojan.Kazy variant outbound connection ||
8084f5c391722c98660763/analysis/
28420 || INDICATOR-OBFUSCATION Javascript obfuscation - createElement seen in IFRAMEr Tool attack
28421 || INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode seen in IFRAMEr Tool attack
28428 || EXPLOIT-KIT Glazunov exploit kit landing page || cve,2013-2471
|| url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunovdigging-further-into-sibhost-and-flimkit/
28429 || EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt
|| cve,2013-2471 || url,nakedsecurity.sophos.com/2013/07/02/the-fourseasons-of-glazunov-digging-further-into-sibhost-and-flimkit/
28430 || EXPLOIT-KIT Glazunov exploit kit zip file download || cve,20132471 || url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-ofglazunov-digging-further-into-sibhost-and-flimkit/
mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan ||
url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3
214ea2d5ed246884dd045e/analysis/
28446 || MALWARE-CNC Win.Trojan.Symmi variant SQL check-in ||
28450 || EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt
28493 || MALWARE-CNC DeputyDog diskless method outbound connection ||
28538 || MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection ||
url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-newencryption-scheme.html ||
url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe7
14fc586b82a19444727a54/analysis/
28539 || BLACKLIST DNS request for known malware domain lovesyr.sytes.net
- Win.Worm Dunhihi ||
url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89c86662bad9
201913c5317f6e3e7841d9/analysis/
28540 || BLACKLIST DNS request for known malware domain dkxszh.org ||
url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b135947823c91a71
2bb1c3e289168c973a6ce0/analysis/
28541 || MALWARE-CNC Win.Trojan.ZeroAccess Download Headers ||

url,www.virustotal.com/en/analisis//file/eeaeb1506d805271b5147ce911df9c26
4d63e4d229de4464ef879a83fb225a40/analysis/
28542 || MALWARE-CNC Win.Trojan.Conficker variant outbound connection ||
url,www.sans.org/security-resources/malwarefaq/conficker-worm.php
28543 || MALWARE-CNC Win.Trojan.Conficker variant outbound connection ||
url,www.sans.org/security-resources/malwarefaq/conficker-worm.php
28552 || INDICATOR-SCAN inbound probing for IPTUX messenger port ||
url,github.com/iptux-src/iptux
28553 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /main.htm GET Encrypted Payload ||
28554 || MALWARE-CNC Win.Trojan.Fareit variant outbound connection /online.htm GET Encrypted Payload ||
28555 || MALWARE-OTHER SQL Slammer worm propagation attempt inbound ||
28556 || PROTOCOL-DNS DNS query amplification attempt || url,www.uscert.gov/ncas/alerts/TA13-088A
28557 || PROTOCOL-DNS Malformed DNS query with HTTP content ||
url,www.ietf.org/rfc/rfc2616.txt
28800 || MALWARE-CNC Win.Trojan.Zeus outbound connection ||
85689618dde3f4c6fcb101/analysis/
28802 || MALWARE-CNC Win.Trojan.Bancos outbound connection ||
url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291
084c158ce51655fc1e48d0/analysis/1382620137/
28803 || MALWARE-CNC Win.Trojan.Injector inbound connection ||
url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5
564ebc0721e0323a6c3557/analysis/1383139183/
28804 || MALWARE-CNC Win.Trojan.Injector outbound connection ||
url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5
564ebc0721e0323a6c3557/analysis/1383139183/
28805 || MALWARE-CNC Win.Trojan.Palevo outbound connection ||
url,palevotracker.abuse.ch/?ipaddress=209.222.14.3 ||
url,palevotracker.abuse.ch/?ipaddress=31.170.179.179
28806 || INDICATOR-COMPROMISE potential malware download - single
digit .exe file download || url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z
%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=201312-06&max=400
28807 || MALWARE-CNC Win.Trojan.Injector variant outbound communication
|| url,urlquery.net/search.php?q=%5C%2Fload%5C.exe
%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400 ||
url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff19
9e879050481ddd3818b4d0/analysis/
28809 || MALWARE-CNC Win.Trojan.Dofoil inbound connection attempt ||
url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe892
5278451713768d938bec86/analysis/
28810 || MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7
No Referer No Cookie || url,en.wikipedia.org/wiki/Zeus_(Trojan_horse)
28814 || MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound
connection ||
28815 || MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound
connection ||
28852 || BLACKLIST User-Agent known malicious user-agent string Zollard
||
url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd6
2f74e0f4c33d85bce08ada/analysis/
28859 || BLACKLIST User-Agent known malicious user-agent z00sAgent Win.Trojan.Zbot ||
url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5
873dad08351309e13af9e5/analysis/1383673331/
28913 || MALWARE-BACKDOOR Zollard variant outbound connection attempt ||
url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-ofthings.html
28918 || MALWARE-CNC Win.Trojan.Symmi variant network connectivity check
||
28919 || MALWARE-CNC Win.Trojan.Symmi variant network connectivity check
||
url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c
2e3ba481254edc65b30b89/analysis/
28930 || MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection
appropriations.co.cc
havingbeothers.co.cc
28940 || MALWARE-CNC Win.Trojan.Rovnix malicious download ||
url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/1
7180 || url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-stepof-evolution/
28945 || INDICATOR-COMPROMISE exe.exe download ||
url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D
%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400
28950 || BLACKLIST DNS reverse lookup response to malicious domain
.dataclub.biz - Win.Trojan.Bunitu.G
28951 || BLACKLIST DNS reverse lookup response to malicious domain
hosted-by.leaseweb.com - Win.Trojan.Bunitu.G
28952 || BLACKLIST DNS request to suspicious domain ns0.pollosm.me.uk Win.Trojan.Bunitu.G
28953 || BLACKLIST DNS request to suspicious domain ns1.pollosm.me.uk Win.Trojan.Bunitu.G
28959 || BLACKLIST DNS request for known malware domain fenhelua.com ||
url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-andspyware/Troj~Agent-AFDE/detailed-analysis.aspx
28960 || MALWARE-CNC Win.Trojan.Alurewo outbound connection ||
url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-andspyware/Troj~Agent-AFDE/detailed-analysis.aspx ||
url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf
3388577f22da9178871161/analysis/
28976 || MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration ||

url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86
f3ed9ce84c61907aa99dae/analysis/1386599712/
28977 || MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket ||
url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86
f3ed9ce84c61907aa99dae/analysis/1386599712/
28980 || BLACKLIST DNS request for known malware domain teamimmsky.de ||
url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db
47a75f197924cb660551d3/analysis/1387178129/
28981 || BLACKLIST DNS request for known malware domain wifi-usbx.me ||
url,www.virustotal.com/en/file/902760be507dbaa5e6b26e1183d10710617b534416
01624e4f36d079f71b2a0a/analysis/1387181593/
28982 || MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC ||
url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc
780eaac4bba2b3872bc037/analysis/
28983 || MALWARE-CNC Win.Trojan.Steckt IRCbot executable download ||
28984 || MALWARE-CNC Win.Worm.Steckt IRCbot executable download ||
28985 || MALWARE-CNC Win.Worm.Steckt IRCbot executable download ||
28986 || MALWARE-CNC Win.Worm.Neeris IRCbot variant outbound connection
||
url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf
5e84dc2115f2f4aa800e6b/analysis/1387176826/
28987 || MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection
||
url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c
62f798f54c8ac0759657fe/analysis/1387177714/ ||
47a75f197924cb660551d3/analysis/1387178129/
28988 || MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection
||
url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c
62f798f54c8ac0759657fe/analysis/1387177714/ ||
47a75f197924cb660551d3/analysis/1387178129/
lucas.digitaldesk.biz - Win.Banload ||
url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e1
7b8dbfec2e2c3be9164cf6/analysis/
29031 || MALWARE-CNC Win.Trojan.Banload variant inbound communication
attempt ||
url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e1
7b8dbfec2e2c3be9164cf6/analysis/
29126 || BLACKLIST DNS request for known malware domain jiang-zem.in Win.Trojan.Zeus
29167 || EXPLOIT-KIT CritX exploit kit payload download attempt
29174 || BLACKLIST User-Agent known malicious user-agent string fortis ||

url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f
201874776583f754b137a3/analysis/
29216 || MALWARE-CNC Win.Trojan.Androm variant outbound connection ||
url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a
732fd394ff9f707ddaf682/analysis/
722forbidden1.sytes.net - Win.Trojan.MSIL variant outbound connection ||
url,file-analyzer.net/analysis/1076/5370/0/html ||
url,www.virustotal.com/en/file/e2aa97c947cdf38e76749e863f73e31c94da76d84b
a8b3a8a4342c253b2b934b/analysis/
29220 || MALWARE-CNC Win.Trojan.Strictor variant outbound connection ||
url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002
ca95ec8deb76f5f37ed9c4/analysis/1389125202/
29259 || MALWARE-CNC Win.Trojan.Graftor variant outbound connection ||
url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354
d4b826b4c3e5aa9310b3ba/analysis/
url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354
d4b826b4c3e5aa9310b3ba/analysis/
29261 || MALWARE-CNC Win.Trojan.Dropper variant outbound connection ||
url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba
4d052a3f3db11ccfd8ce4a/analysis/
29262 || BLACKLIST DNS request for known malware domain bog5151.zapto.org
- Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/fc274838271cc9e28d8c3c9c925f38c07da14c13f3
df56f41450f514904ae876/analysis/
29263 || BLACKLIST DNS request for known malware domain kara.no-ip.info Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/e3cbce74e7fa73b931283b0187f237d0acb4ea3e1f
5ce2be4af83493a6bef460/analysis/
29300 || MALWARE-CNC Win.Trojan.Graftor variant inbound connection ||
url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0f
c94814ce841be4740f295c/analysis
29349 || MALWARE-CNC Win.Trojan.Zusy variant outbound connection ||
url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649
a39411868bf71e90cfdc84/analysis/1389362066/
29378 || MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic ||
url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7
aad2e96c8109290da453cb/analysis/ ||
url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84
b4a7ddf5c9885de8115606/analysis/
29379 || MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic potential exfiltration ||
29380 || MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic ||

url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b9749710
5d7c20e7284f65055d2ccb/analysis/
29396 || POLICY-SPAM Potential phishing attack - .zip receipt filename
download with .exe name within .zip the same
29397 || POLICY-SPAM Potential phishing attack - .zip shipping filename
29398 || POLICY-SPAM Potential phishing attack - .zip voicemail filename
29399 || POLICY-SPAM Potential phishing attack - .zip statement filename
29454 || PROTOCOL-ICMP Unusual L3retriever Ping detected ||
url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-partii/ || url,krebsonsecurity.com/2014/01/a-first-look-at-the-targetintrusion-malware/
29455 || PROTOCOL-ICMP Unusual Microsoft Windows Ping detected ||
29456 || PROTOCOL-ICMP Unusual PING detected ||
29457 || PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected ||
29459 || MALWARE-CNC Win.Trojan.Fexel variant outbound connection ||
url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f63873
3e2f92f0cb5bfe86714734/analysis/
29567 || BLACKLIST DNS request for known malware domain antiq.scifi.ro Linux.Backdoor.Shellbot ||
url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d57
6b62444114306effb4023d/analysis/1390763713/ ||
url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46aa7c305a64
08d952018b9d1f5f5c6fdb/analysis/1390763695/
29568 || BLACKLIST DNS request for known malware domain funny.evils.in Linux.Backdoor.Shellbot ||
6b62444114306effb4023d/analysis/1390763713/ ||
url,www.virustotal.com/en/file/daffe8b88d7fd99e5a5000b697aeca46aa7c305a64
08d952018b9d1f5f5c6fdb/analysis/1390763695/
29569 || MALWARE-CNC Linux.Backdoor.Shellbot outbound connection ||
6b62444114306effb4023d/analysis/1390763713/
29664 || MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection ||
url,file-analyzer.net/analysis/1546/6325/0/html#network ||
url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f
10cbcd4ee21ab0144b9a7f/analysis/1390421409/
url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28
291d295883bf2923c01d4b/analysis/
29666 || MALWARE-CNC Win.Trojan.Linkup outbound connection ||

url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkupblocks-dns-and-mines-bitcoins/
29760 || BLACKLIST User-Agent known malicious user-agent string MSIE 4.01
- Win.Trojan.Careto ||
url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3
d9265f606076c7ee72e8f8/analysis/
29761 || BLACKLIST DNS request for known malware domain appleupdt.com Win.Trojan.Careto ||
29762 || BLACKLIST DNS request for known malware domain carrus.gotdns.com
cherry1962.dyndns.org - Win.Trojan.Careto ||
ctronlinenews.dyndns.tv - Win.Trojan.Careto ||
29765 || BLACKLIST DNS request for known malware domain dfup.selfip.org Win.Trojan.Careto ||
29766 || BLACKLIST DNS request for known malware domain fast8.homeftp.org
29767 || BLACKLIST DNS request for known malware domain gx5639.dyndns.tv
helpcenter1it6238.cz.cc - Win.Trojan.Careto ||
helpcenter2br6932.cc - Win.Trojan.Careto ||
29770 || BLACKLIST DNS request for known malware domain linkconf.net Win.Trojan.Careto ||
mango66.dyndns.org - Win.Trojan.Careto ||
29772 || BLACKLIST DNS request for known malware domain msupdt.com Win.Trojan.Careto ||
29773 || BLACKLIST DNS request for known malware domain nav1002.ath.cx Win.Trojan.Careto ||
nthost.shacknet.nu - Win.Trojan.Careto ||
29775 || BLACKLIST DNS request for known malware domain oco-231ms.xns01.com - Win.Trojan.Careto ||
pininfarina.dynalias.com - Win.Trojan.Careto ||
29777 || BLACKLIST DNS request for known malware domain pl400.dyndns.org
prosoccer1.dyndns.info - Win.Trojan.Careto ||
29779 || BLACKLIST DNS request for known malware domain redirserver.net Win.Trojan.Careto ||
29780 || BLACKLIST DNS request for known malware domain ricush.ath.cx Win.Trojan.Careto ||
services.serveftp.org - Win.Trojan.Careto ||
29782 || BLACKLIST DNS request for known malware domain sv.serveftp.org Win.Trojan.Careto ||
29783 || BLACKLIST DNS request for known malware domain swupdt.com Win.Trojan.Careto ||
takami.podzone.net - Win.Trojan.Careto ||
29785 || BLACKLIST DNS request for known malware domain tunga.homedns.org
29786 || BLACKLIST DNS request for known malware domain wqq.dyndns.org Win.Trojan.Careto ||
29787 || BLACKLIST DNS request for known malware domain wwnav.selfip.net
29788 || MALWARE-CNC Win.Trojan.Careto outbound connection ||
29789 || MALWARE-CNC Win.Trojan.Careto plugin download ||
29816 || MALWARE-CNC Win.Trojan.Jackpos outbound connection ||
url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis
29817 || MALWARE-CNC Win.Trojan.Jackpos outbound connection ||
url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6
fab8e15cd4cf590f1abdf1/analysis
29824 || BLACKLIST User-Agent known malicious user agent - TixDll Win.Trojan.Adload.dyhq ||
url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57a
babbc2f735aaecde95681b/analysis/
commandcenteral.info - Win.Trojan.Adload.dyhq ||
givemefilesnow.info - Win.Trojan.Adload.dyhq ||
29827 || BLACKLIST DNS request for known malware domain stylefun.info Win.Trojan.Adload.dyhq ||
29828 || MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection
||
29829 || SERVER-WEBAPP HNAP remote code execution attempt ||
url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary
%3A+What+we+know+so+far/17633
url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630
29832 || BLACKLIST DNS request for known malware domain hattouma12.noip.biz - Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/960aee6e11a44bf18a5f224019bd40e35112a2f312
c220c9aaf0b30c9a5ba084/analysis/
sidisalim.myvnc.com - Win.Trojan.Dunihi ||
url,www.virustotal.com/en/file/b560a6719a23095cbaeabcff55e8a9dd8fde1fdf4c
428b6261731072eb5256d2/analysis/
29837 || BLACKLIST DNS request for known malware domain abdnjworm.noip.biz - Win.Trojan.Jenxcus ||
Name=Worm%3AVBS%2FDunihi.Areference:url,ThreatID=-2147285533#tab=2
abocasse.zapto.org - Win.Trojan.Jenxcus ||
29839 || BLACKLIST DNS request for known malware domain ahmedghost.noip.info - Win.Trojan.Jenxcus ||
29840 || BLACKLIST DNS request for known malware domain b-trese.no-ip.biz
- Win.Trojan.Jenxcus ||
29841 || BLACKLIST DNS request for known malware domain boucraa.noip.org- Win.Trojan.Jenxcus ||
29842 || BLACKLIST DNS request for known malware domain dd.no-ip.bz Win.Trojan.Jenxcus ||
29843 || BLACKLIST DNS request for known malware domain debili1.no-ip.biz
29844 || BLACKLIST DNS request for known malware domain fuck-all.noip.info - Win.Trojan.Jenxcus ||
29845 || BLACKLIST DNS request for known malware domain hackers1990.noip.org - Win.Trojan.Jenxcus ||
29846 || BLACKLIST DNS request for known malware domain heartbraker.noip.biz - Win.Trojan.Jenxcus ||
29847 || BLACKLIST DNS request for known malware domain jnyn-99.no-ip.org
29848 || BLACKLIST DNS request for known malware domain mda.no-ip.org Win.Trojan.Jenxcus ||
29849 || BLACKLIST DNS request for known malware domain mmrick.zapto.org
29850 || BLACKLIST DNS request for known malware domain mntm.no-ip.biz Win.Trojan.Jenxcus ||
29851 || BLACKLIST DNS request for known malware domain mootje01.noip.org - Win.Trojan.Jenxcus ||
mozaya46415.zapto.org - Win.Trojan.Jenxcus ||
29853 || BLACKLIST DNS request for known malware domain no99.zapto.org Win.Trojan.Dunihi ||
29854 || BLACKLIST DNS request for known malware domain rouge166821.noip.biz - Win.Trojan.Jenxcus ||
29855 || BLACKLIST DNS request for known malware domain schoolpc.sytes.net - Win.Trojan.Dunihi ||
29856 || BLACKLIST DNS request for known malware domain vanonymous.noip.org - Win.Trojan.Jenxcus ||
29857 || BLACKLIST DNS request for known malware domain vichtorioisraeli.zapto.org - Win.Trojan.Jenxcus ||
29858 || BLACKLIST DNS request for known malware domain zkzak.np-ip.biz Win.Trojan.Jenxcus ||
29862 || MALWARE-CNC Win.Trojan.Pirminay variant outbout connection ||
url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/
29863 || MALWARE-CNC Win.Trojan.Pirminay variant outbound connection ||
url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e
01cd68253e873270bef69d/analysis/1392222514/
29864 || EXPLOIT-KIT Redkit exploit kit payload request ||
url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-poppedfazio-mechanical/
29865 || MALWARE-CNC Win.Trojan.Kuluoz outbound connection ||
url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc29484
8eee20903daa556bb3af09/analysis/
29867 || BLACKLIST DNS request for known malware domain 0zz0.com Win.Trojan.Napolar ||
url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae6
34be7bed648c96465bc8ef/analysis/
29868 || BLACKLIST DNS request for known malware domain www.rekurigo.com
- Win.Trojan.Napolar ||
29869 || MALWARE-CNC Win.Trojan.Napolar phishing attack ||
29870 || MALWARE-CNC Win.Trojan.Pony HTTP response connection ||
jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker
29882 || MALWARE-CNC Win.Trojan.WEC variant outbound connection ||
url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d
36feccf83265ded1be8d0b/analysis/
29887 || BLACKLIST User-Agent known malicious user-agent string Updates
downloader - Win.Trojan.Upatre ||
url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C57
5EB151C8E4E00E68F97478/analysis/
29891 || MALWARE-CNC Win.Trojan.Pushdo variant outbound connection
29894 || BLACKLIST DNS request for known malware domain pibadfixwug.kz Win.Trojan.Pushdo ||
url,www.virustotal.com/en/file/9f3064634a48216f69d23c0887a71e879115a83886
17d016239cf825e84e798b/analysis
url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e
800a3f3575ba34fe5f008c/analysis
29897 || MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound
connection ||
url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e0054
1759eb18a31f959da521a9/analysis/ ||
url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8
b3f9c3c9b337b7f2a54f8a/analysis/
29981 || MALWARE-CNC Win.Trojan.Tiny variant outbound connection ||
url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41
c88083f4a3d3c04805a721/analysis/
30067 || BLACKLIST DNS request for known malware domain drags.su Win.Trojan.Androm ||
732fd394ff9f707ddaf682/analysis
732fd394ff9f707ddaf682/analysis
30069 || BLACKLIST DNS request for known malware domain smsgrabber.url.ph
- Android iBanking/Spy.49 || url,www.kernelmode.info/forum/viewtopic.php?
f=16&t=3166 ||
url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70c
e03165fd89e18113b68e02/analysis/
30070 || MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt

|| url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166 ||
30087 || MALWARE-CNC Win.Trojan.Gamut configuration download ||
url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217
409874be130f9c2e5b78fb/analysis/
30091 || MALWARE-CNC Win.Trojan.Necurs variant outbound connection ||
url,file-analyzer.net/analysis/2306/8066/0/html#network ||
url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7
dd7d253ba408ed7164c313/analysis/1393271978/
30191 || MALWARE-CNC Win.Trojan.Uroburos usermode-centric client request
||
url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf
||
url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/
GData_Uroburos_RedPaper_EN_v1.pdf ||
url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f
838f0f986a929653d289ed/analysis/
url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c676db3798b7
33851a6b37ef6b0bc5f3be/analysis
url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9
d55fbb2e42fd640fee1eac/analysis/
url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28
291d295883bf2923c01d4b/analysis/
30255 || MALWARE-CNC Win.Trojan.Strictor HTTP Response - Brazil
Geolocated Infected User ||
url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf
6268007cb223dfa0870b60/analysis/
30256 || MALWARE-CNC Win.Trojan.Strictor HTTP Response - Non-Brazil
Geolocated Infected User ||
url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf
6268007cb223dfa0870b60/analysis/
30257 || MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound
connection ||
url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968
ca41f06b900d703a27064e/analysis/1393266939/ ||
url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a7
5016cbf0ae9a85d5a21d76/analysis/
url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e142
48045e467c6568926cb494/analysis/1386078525/ ||
30259 || MALWARE-CNC Win.Trojan.Strictor variant outbound connection ||
url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64
a739db019fa9b947b821a1/analysis/1395684118/
30260 || MALWARE-CNC Win.Trojan.Mudrop variant outbound connection ||
url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef32446
91e70499a7a9243068c016/analysis/1395425759/
91e70499a7a9243068c016/analysis/1395425759/
url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb
64b4eab403961c953fe44e/analysis/1395407305/
30288 || MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection ||
url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf
30336 || MALWARE-CNC Linux.Trojan.Calfbot outbound connection ||
url,www.welivesecurity.com/wpcontent/uploads/2014/03/operation_windigo.pdf
titan2014.sytes.net - Win.Trojan.Zbot/Bublik ||
url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colom
bian+users+claiming+to+be+from+Credit+score+agency/17875 ||
url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf95
1ed20eaae50031670c8a96/analysis/
30482 || MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection attempt ||
30483 || MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection ||
30484 || MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection ||
30510 || SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt ||
cve,2014-0160
30511 || SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt ||
cve,2014-0160
30512 || SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt ||
cve,2014-0160
cve,2014-0160
30514 || SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible
ssl heartbleed attempt || cve,2014-0160
30515 || SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible
30516 || SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible

30520 || SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt vulnerable client response || cve,2014-0160
30521 || SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt vulnerable client response || cve,2014-0160
30522 || SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt vulnerable client response || cve,2014-0160
30523 || SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt vulnerable client response || cve,2014-0160
cve,2014-0160
cve,2014-0160
aaukqiooaseseuke.org - Win.Trojan.Ramdo || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Troj~RamdoK/detailed-analysis.aspx
eimqqakugeccgwak.org - Win.Trojan.Ramdo || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Troj~RamdoK/detailed-analysis.aspx
kucmcamaqsgmaiye.org - Win.Trojan.Ramdo || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Troj~RamdoK/detailed-analysis.aspx
uogwoigiuweyccsw.org - Win.Trojan.Ramdo || url,www.sophos.com/enus/threat-center/threat-analyses/viruses-and-spyware/Troj~RamdoK/detailed-analysis.aspx
30547 || MALWARE-CNC Win.Trojan.Ramdo variant outbound connection ||
url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014ramdo.aspx
url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameovercrooks.html ||
url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01
ee8aa31241241712b46a0d/analysis/
30549 || SERVER-OTHER OpenSSL Heartbleed masscan access exploitation
30550 || BLACKLIST DNS request for known malware domain darxk.com Win.Trojan.Minerd ||
url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55
792281048bae9cfe0e95c1/analysis/
30551 || MALWARE-CNC Malicious BitCoiner Miner download attempt Win.Trojan.Minerd ||
792281048bae9cfe0e95c1/analysis/
30552 || MALWARE-CNC Malicious BitCoiner Miner download attempt Win.Trojan.Systema ||
792281048bae9cfe0e95c1/analysis/ ||
url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79
638a57332ac448d819fb5d/analysis/
30566 || MALWARE-CNC Linux.Trojan.Elknot outbound connection ||
url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da0
08397b7a540e0d45e70ab2/analysis/
30567 || MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt ||
url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/
30568 || MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt ||
url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694
a9292c2c8a9749e5648ed4/analysis/
30569 || MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt
||
url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e838
4981832822329d8ccfb125/analysis/1395241815/
url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018ff
fd30bdb1f9fb6280182bd0/analysis/1396537812/ ||
url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f2057
11cdbad3e4b1bde7be2d75/analysis/
c3b97497105d7c20e7284f65055d2ccb/analysis/
30772 || BLACKLIST DNS request for known malware domain universal2010.noip.org - Win.Worm.Dunihi ||
url,www.virustotal.com/en/file/2dc9930a0d324838f847f940ea7fa1da8808f910a3
9c2e701020820f7e33974a/analysis/
91e70499a7a9243068c016/analysis/1395425759/

91e70499a7a9243068c016/analysis/1395425759/
30914 || MALWARE-CNC Win.Trojan.SpySmall variant outbound connection ||
url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117c
e3aaee2fa0ebf04505c0d2/analysis/
30915 || MALWARE-CNC Win.Trojan.SpySmall variant outbound connection ||
url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117c
e3aaee2fa0ebf04505c0d2/analysis/
30918 || BLACKLIST User-Agent known malicious user agent - User-Agent
User-Agent Mozilla ||
url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9AC
A93AF73778E53993339/analysis/
30920 || EXPLOIT-KIT Multiple exploit kit redirection gate
30948 || MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response ||
url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab78
99bc1b56e4fc20e1b1fd9f/analysis/
github.ignorelist.com - Win.Trojan.Barys ||
url,www.virustotal.com/en/file/9d2b34289df06f44dc02fc0689b28ea4f9c11f7496
a0e4c20f9d04152295d832/analysis/
30997 || INDICATOR-COMPROMISE Potential malware download - .doc.exe
within .zip file
30998 || INDICATOR-COMPROMISE Potential malware download - .gif.exe
within .zip file
30999 || INDICATOR-COMPROMISE Potential malware download - .jpeg.exe
within .zip file
31000 || INDICATOR-COMPROMISE Potential malware download - .jpg.exe
within .zip file
31001 || INDICATOR-COMPROMISE Potential malware download - .pdf.exe
within .zip file
www.casting.diamondhostess.hu- Win.Trojan.SpyBanker ||
url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427
b0e5d0560fd174e9f59e78/analysis/
31035 || BLACKLIST DNS request for known malware domain www.uslugiryazan.ru - Win.Trojan.SpyBanker ||
31036 || MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection ||
url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b
381b74fcfd2e4db73689af/analysis/ ||
31053 || MALWARE-CNC Win.Trojan.MadnessPro outbound connection ||
url,blog.cylance.com/a-study-in-bots-madness-pro
31070 || MALWARE-CNC Win.Rootkit.Necurs outbound connection ||

url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845
c1f676b5399061e3dc1a4b/analysis/
31084 || MALWARE-CNC Win.Trojan.Zbot variant outbound connection ||
url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2
f564890ebbc38b169eb41b/analysis/1400275398/
31090 || BLACKLIST User-Agent known malicious user agent - User-Agent
hello crazyk ||
url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218b
a895c1f4a/analysis/
31112 || MALWARE-CNC Win.Trojan.Bancos password stealing attempt ||
url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534
e5b23c5887dde91fbd4951/analysis/1384873658
e5b23c5887dde91fbd4951/analysis/1384873658
31136 || MALWARE-CNC Win.Trojan.ZeroAccess inbound communication ||
url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407
d9a90703047e7db7ff9/analysis/
31221 || MALWARE-CNC Win.Trojan.Banker variant outbound connection ||
url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699c
d858cda7d4a3e36690628a/analysis/
31243 || MALWARE-CNC Win.Trojan.Necurs variant outbound connection ||
url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb
1e4f5f3386a6db4f1cf30e/analysis/1400509611/
31244 || MALWARE-CNC Win.Trojan.Kuluoz outbound connection ||
url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea31
74ea9d4398ad2048205c42/analysis/
31260 || MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt ||
url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnethosted.html
31261 || MALWARE-CNC Win.Trojan.Symmi outbound connection ||
url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2
e8cf80beb36c813827d0c7/analysis/
31262 || MALWARE-CNC Win.Worm.VBNA variant check-in attempt ||
url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/ ||
url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d6
70077eca14a0f4309f9e26/analysis/ ||
url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf45
2f164b1a76f8fa27f53b15/analysis/
31293 || MALWARE-CNC Win.Trojan.Dyre publickey outbound connection
attempt || url,phishme.com/project-dyre-new-rat-slurps-bank-credentialsbypasses-ssl ||
url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47
f754b9c59bc308d808c486/analysis/
31294 || BLACKLIST DNS request for known malware domain www.give-usbtc.biz - Win.Trojan.Zusy ||
url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce
00a193ad6e20faec3243dc/analysis/

url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce
00a193ad6e20faec3243dc/analysis/
31315 || MALWARE-CNC Win.Trojan.MSIL variant outbound connection ||
url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/
31405 || SERVER-APACHE Apache Chunked-Encoding worm attempt ||
cve,2002-0079 || cve,2002-0392 || nessus,10932
31423 || BLACKLIST DNS request for known malware domain indo.msname.org
||
url,www.virustotal.com/en/file/2f6f2b5b356db1620fecdbf92fbaf7abffec0d8d79
893c809bdd31a0169ecbc8/analysis/
31442 || MALWARE-CNC Win.Trojan.Injector variant outbound connection ||
url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e2
79651c8f19fa6392f3d837/analysis/ ||
url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f52
8a3c04a1c9ab9f10b5eff9/analysis/
31449 || MALWARE-CNC Win.Trojan.CryptoWall downloader attempt ||
url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b9
9be0164dafffeca9914b10/analysis/
31450 || MALWARE-CNC Win.Trojan.CryptoWall outbound connection ||
url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156
132a540035e7ef5e0fa79e/analysis/
url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e43984
7a68cdf52b85328b66dd22/analysis/
31453 || MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection ||
url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e
06aeeba401ded6157c1298/analysis/
31454 || MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection ||
url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e
06aeeba401ded6157c1298/analysis/
31455 || EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request ||
url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-websitecompromise
31456 || BLACKLIST DNS request for known malware domain infolooks.org Win.Trojan.SDBot ||
url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb
70325ab7cdc4c534a68e7d/analysis
31457 || BLACKLIST DNS request for known malware domain joydagaspy.biz Win.Trojan.SDBot ||
31458 || MALWARE-CNC Win.Trojan.SDBot variant outbound connection ||
31463 || BLACKLIST DNS request for known malware domain cd5c5c.com Win.Trojan.Androm ||
url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/
31464 || BLACKLIST DNS request for known malware domain disk57.com Win.Trojan.Androm ||
31465 || MALWARE-CNC Win.Trojan.Androm Click Fraud Request ||
31466 || MALWARE-CNC Win.Trojan.Androm Click Fraud Request ||

31468 || MALWARE-CNC Win.Trojan.Papras variant outbound connection ||
url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc0
5835afa772fde8627e72b2/analysis/
31472 || BLACKLIST DNS request for known malware domain nanoseklo.net Win.Trojan.HW32 ||
url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23
c429bd7847979ea9250b2b/analysis/
31507 || MALWARE-CNC Win.Trojan.HW32 variant spam attempt ||
url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23
c429bd7847979ea9250b2b/analysis/
url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330
ca6349aacc92e6cecb2582/analysis/1406043461/
31531 || INDICATOR-COMPROMISE MinerDeploy monitor request attempt ||
url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3
bacd436c652dbb469ced62/analysis/
31593 || MALWARE-CNC Andr.Trojan.SMSSend outbound connection ||
url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4
d4ca47c9ae5cb9049700bb/analysis/1406724303/
31600 || BLACKLIST DNS reverse lookup response for known malware domain
spheral.ru - Win.Trojan.Glupteba ||
url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0
389a9756c1b82b66fb2b83/analysis/
31603 || MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to
client ||
31604 || MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to
client ||
31605 || MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to
client ||
31606 || MALWARE-CNC Win.Trojan.Glupteba payload download request ||
31607 || MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to
C&C server ||
31639 || BLACKLIST DNS request for known malware domain hslh.sytes.net Win.Worm.Jenxcus ||
url,www.virustotal.com/en/file/5382192453e48d46e20096b14458b17368d401ccbf
365020e6094cd5ed20ac51/analysis/
prepara.biricell.com.br - Win.Trojan.SpyBanker ||
url,www.virustotal.com/en/file/a9c38b5b26532623d692ef0291ad412ce2c2fd8e46
e4f6ed85d1e0d010617d0a/analysis/
31641 || MALWARE-CNC Win.Tinybanker variant outbound connection ||

url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-bankingcustomers/ ||
url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db
14f7e71062ea4a6b2e974e/analysis/
31642 || MALWARE-CNC Win.Tinybanker variant outbound connection ||
url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-bankingcustomers/ ||
url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db
14f7e71062ea4a6b2e974e/analysis/
31644 || MALWARE-CNC Andr.Trojan.Scarelocker outbound connection ||
url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html ||
url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104
e468ddcfb05a4d88a11811/analysis/
e5b23c5887dde91fbd4951/analysis/1384873658/
31680 || MALWARE-CNC Win.Trojan.Tirabot variant outbound connection ||
url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a6
73bdd6db9a02fa5ab9ffb8/analysis/1407432311/
31681 || MALWARE-CNC Win.Trojan.Badur download attempt ||
url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd
55a27e6f9961c8a84a47c5/analysis/
31682 || MALWARE-CNC Win.Trojan.Badur download attempt ||
url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871
094cb9266769c09f03029c/analysis/
31683 || MALWARE-CNC Win.Trojan.Badur variant outbound connection ||
url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871
094cb9266769c09f03029c/analysis/
31719 || FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow
url,www.microsoft.com/security/bulletins/200409_jpeg.mspx
31820 || MALWARE-CNC Win.Banker.Delf variant outbound connection ||
url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642e
cc56ac464fe7a81a6994ca/analysis/
url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c03
27650915b79f9340fa84ff/analysis/
flordeliskm26.com.br - Win.Trojan.Delf ||
url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e06
75520aa54dcad068e6e004/analysis/1409846457/
31826 || MALWARE-CNC Win.Trojan.Delf variant HTTP Response ||
31827 || MALWARE-CNC Win.Trojan.Delf variant outbound connection ||
eduarditopallares.mooo.com - Win.Trojan.VBKrypt ||
url,www.virustotal.com/en/file/0a7e5ba1ba4c1ae22b7d6d30026ffb287911be4bdc
8042363d29c93c3c71b3e7/analysis/
31830 || POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt
||
url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf ||
url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf
31831 || POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt
||
url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_Qu
ickTools_v80_59264-02B.pdf ||
url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_S
eries_v74_59235-03_%5BA%5D.pdf
e5b23c5887dde91fbd4951/analysis/1384873658/
vampire123.zapto.org - Win.Trojan.Disfa ||
url,www.virustotal.com/en/file/1f4b95d7fc20a66acc09f8246f5a936a8263b76aeb
f973efa45cfe255415d5d1/analysis/
31918 || BLACKLIST DNS request for known malware domain enemydont.net Win.Trojan.Symmi ||
url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27f
b8d762ce9de8c58990ffb1/analysis/
31919 || BLACKLIST DNS request for known malware domain saltsecond.net Win.Trojan.Symmi ||
31920 || BLACKLIST DNS request for known malware domain sellsmall.net Win.Trojan.Symmi ||
31921 || BLACKLIST DNS request for known malware domain southblood.net Win.Trojan.Symmi ||
31922 || BLACKLIST DNS request for known malware domain wheelreply.net Win.Trojan.Symmi ||
31923 || MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt ||
31965 || EXPLOIT-KIT Astrum exploit kit landing page ||
url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
31966 || EXPLOIT-KIT Astrum exploit kit payload delivery ||
31970 || EXPLOIT-KIT Astrum exploit kit redirection attempt ||
31971 || EXPLOIT-KIT Astrum exploit kit multiple exploit download request

|| url,malware.dontneedcoffee.com/2014/09/astrum-ek.html
31973 || MALWARE-CNC Win.Trojan.Chebri variant outbound connection ||
url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe3611
7a8333577d857a7c2d1ec6/analysis/1409853252/
31975 || OS-OTHER Bash CGI environment variable injection attempt ||
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
31985 || OS-OTHER Malicious DHCP server bash environment variable
injection attempt || cve,2014-6271 || cve,2014-6277 || cve,2014-6278 ||
cve,2014-7169
31990 || BLACKLIST User-Agent known malicious user-agent string - Install
- Win.Backdoor.Upatre ||
url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c
97cb0a1f096496d4ff93ea/analysis/
31991 || BLACKLIST User-Agent known malicious user-agent string - Treck Win.Backdoor.Upatre ||
url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39
ba45a03dc5d4d4bb2e523f/analysis/
32008 || MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack ||
url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe
32009 || MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt command ||
url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626d
ec9d55efcc6ebcba6fa489/analysis/
32010 || MALWARE-CNC Linux.Backdoor.Flooder outbound telnet connection
attempt ||
32011 || MALWARE-CNC Linux.Backdoor.Flooder outbound connection ||
32038 || OS-OTHER Bash environment variable injection attempt ||
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
32065 || MALWARE-CNC Win.Trojan.Asprox inbound connection attempt ||
url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15
ed9cca17abfca692d26fe4/analysis/
32066 || MALWARE-CNC Win.Trojan.Asprox outbound connection ||

32067 || MALWARE-CNC Win.Trojan.Asprox outbound connection ||
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
32072 || MALWARE-CNC Win.Trojan.Zemot configuration download attempt ||
32073 || MALWARE-CNC Win.Trojan.Zemot outbound connection ||
32074 || MALWARE-CNC Win.Trojan.Zemot payload download attempt ||
av4.microsoftsp3.com - Win.Trojan.Plugx ||
url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345
e06d4b6e9103fde9e6/analysis/
32177 || BLACKLIST DNS request for known malware domain java.ns1.name Win.Trojan.Plugx ||
32178 || BLACKLIST DNS request for known malware domain wm1.ns01.us Win.Trojan.Plugx ||
32179 || MALWARE-CNC WIN.Trojan.Plugx variant outbound connection ||
32180 || MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt ||
url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f
1003915b2237978f7d/analysis/
32181 || MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt ||
url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f
1003915b2237978f7d/analysis/
32192 || MALWARE-CNC Win.Trojan.Zxshell variant outbound connection ||
url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a933
8ed7c04306c1de46889d6b/analysis/
url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe9243
34ecdd3cd5662c3c284d90/analysis/
32225 || MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection ||
url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679
a2352463184acb06ffcaf0/analysis/
32244 || BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access
32250 || MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected
32260 || MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl

32309 || BLACKLIST DNS request for known malware domain good.myftp.org Win.Trojan.Farfi ||
url,www.virustotal.com/en/file/184c083e839451c2ab0de7a89aa801dc0458e2bd1f
e79e60f35c26d92a0dbf6a/analysis/
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
cve,2014-6271 || cve,2014-6277 || cve,2014-6278 || cve,2014-7169
32367 || MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection
||
url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c
84d20d60a992164888a6fc/analysis
32370 || SERVER-OTHER AOL Instant Messenger goaway message buffer
overflow attempt || bugtraq,10889 || cve,2004-0636 ||
32385 || BLACKLIST DNS request for known malware domain tiptronic.soxx.us
- Scarsi Trojan ||
url,www.virustotal.com/en/file/403bca7e414291c4aecf8646ef6157e441d5191514
9fbcd2f70aabe05585c8ff/analysis/
url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e
3709815711b8b364a58bdd/analysis/1415285838/
url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/ ||
url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f
96fc51cb3eada95ba57e59/analysis/
32604 || MALWARE-CNC Win.Trojan.Geodo variant outbound connection ||
url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b32
3079da9552c4e3d8e62d1e/analysis/
32605 || MALWARE-CNC Win.Worm.Jenxcus variant outbound connection ||
url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7
060bb2ab1f57ef6757321d/analysis/
32606 || MALWARE-CNC Win.Trojan.Sodebral variant outbound connection ||
url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecadd
c60591e32b81536b9f5ef7/analysis/
32607 || MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt ||
32608 || MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt ||
32645 || BLACKLIST User-Agent known malicious user-agent string RUpdate
||
url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11
a86334f67ad99c5f6990a0/analysis/
32646 || INDICATOR-COMPROMISE Potential malware download - _pdf.exe
within .zip file ||
url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11
a86334f67ad99c5f6990a0/analysis/
32652 || BLACKLIST DNS request for known malware domain baltichost.org Group 74 ||
url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aa
e459dca98dc8216965/analysis/
32653 || BLACKLIST DNS request for known malware domain kavkazcentr.info
- Group 74 ||
32654 || BLACKLIST DNS request for known malware domain login-osce.org Group 74 ||
32655 || BLACKLIST DNS request for known malware domain mail.q0v.pl Group 74 ||
32656 || BLACKLIST DNS request for known malware domain n0vinite.com Group 74 ||
32657 || BLACKLIST DNS request for known malware domain nato.nshq.in Group 74 ||
natoexhibitionff14.com - Group 74 ||
32659 || BLACKLIST DNS request for known malware domain novinitie.com Group 74 ||
32660 || BLACKLIST DNS request for known malware domain q0v.pl - Group 74
||
32661 || BLACKLIST DNS request for known malware domain qov.hu.com Group 74 ||
32662 || BLACKLIST DNS request for known malware domain rnil.am - Group
74 ||
32663 || BLACKLIST DNS request for known malware domain smigrouponline.co.uk - Group 74 ||
32664 || BLACKLIST DNS request for known malware domain standartnevvs.com
- Group 74 ||
32665 || MALWARE-CNC Win.Trojan.Chopstick variant outbound request ||

32666 || MALWARE-CNC Win.Trojan.Coreshell variant outbound connection ||
32667 || MALWARE-CNC Win.Trojan.Chopstick variant outbound request ||
32670 || MALWARE-CNC Win.Dropper.Ch variant outbound connection ||
url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d03
21bc371fa475d689ffe658/analysis/
32674 || MALWARE-CNC Win.Trojan.Wiper variant outbound connection ||
url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c
15863bb9929f781a0a/analysis/
32776 || MALWARE-CNC FIN4 VBA Macro credentials upload attempt ||
url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb6
5e1f4c77d129df7fb7764/analysis/
32823 || MALWARE-CNC Win.Trojan.Darkhotel outbound connection ||
url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf ||
url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf
32824 || MALWARE-CNC Win.Trojan.Darkhotel outbount connection attempt ||
32825 || MALWARE-CNC Win.Trojan.Darkhotel outbound connection ||
32826 || MALWARE-CNC Win.Trojan.Darkhotel data upload attempt ||
32827 || MALWARE-CNC Win.Trojan.Darkhotel response connection attempt ||
32845 || APP-DETECT Absolute Software Computrace outbound connection 209.53.113.223 || url,absolute.com/support/consumer/technology_computrace
|| url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
32846 || APP-DETECT Absolute Software Computrace outbound connection absolute.com || url,absolute.com/support/consumer/technology_computrace
|| url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
32847 || APP-DETECT Absolute Software Computrace outbound connection bh.namequery.com ||
url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-KamlukComputrace-Backdoor-Revisited.pdf ||
32848 || APP-DETECT Absolute Software Computrace outbound connection namequery.nettrace.co.za ||
32849 || APP-DETECT Absolute Software Computrace outbound connection search.us.namequery.com ||
32850 || APP-DETECT Absolute Software Computrace outbound connection search2.namequery.com ||
32851 || APP-DETECT Absolute Software Computrace outbound connection search64.namequery.com ||
32852 || MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection ||
url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/
32853 || MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection ||
url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455
f139e6e90893d9a4eb455a/analysis/
32888 || INDICATOR-COMPROMISE Potential Redirect from Compromised
WordPress site to Fedex - Spammed Malware Download attempt ||
url,www.hybridanalysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f03317
43fbee77e56/
32889 || FILE-IMAGE Microsoft and libpng multiple products PNG large
image width overflow attempt || bugtraq,11523 || cve,2004-0990 ||
cve,2004-1244 || cve,2007-5503 || url,sourceforge.net/p/pngmng/mailman/message/33173462/ || url,technet.microsoft.com/enus/security/bulletin/MS05-009
32911 || MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt
|| url,us-cert.gov/ncas/alerts/TA14-353A
32912 || MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt
32913 || MALWARE-BACKDOOR Win.Trojan.Wiper download attempt || url,uscert.gov/ncas/alerts/TA14-353A
32916 || MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt

32919 || MALWARE-OTHER Win.Trojan.Wiper download attempt || url,uscert.gov/ncas/alerts/TA14-353A
32922 || MALWARE-OTHER Win.Trojan.Wiper listener download attempt ||
url,us-cert.gov/ncas/alerts/TA14-353A
32936 || MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt ||
32937 || MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt ||
32938 || MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt ||
32956 || MALWARE-CNC Android.CoolReaper.Trojan outbound connection ||
url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d
6b3adb614b94f8a8609f0e/analysis/
32957 || MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt
||
url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051
a7c21334e33d55b6f18d76/analysis/
32958 || MALWARE-CNC Win.Trojan.TinyZBot response connection attempt ||
url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051
a7c21334e33d55b6f18d76/analysis/
32976 || MALWARE-CNC Win.Trojan.Kuluos variant outbound connection ||

url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b
7bb2f354bb02028a361ac2/analysis/
32977 || MALWARE-CNC Win.Trojan.Kuluos variant outbound connection ||
url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b
7bb2f354bb02028a361ac2/analysis/
33047 || BLACKLIST User-Agent known malicious user-agent string realupdate - Win.Backdoor.Upatre
33058 || MALWARE-CNC Win.Backdoor.Medusa variant inbound connection
33059 || MALWARE-CNC Win.Backdoor.Medusa variant outbound connection
33060 || MALWARE-CNC Win.Backdoor.Medusa variant outbound connection
33153 || MALWARE-CNC Win.Trojan.Heur variant outbound connection ||
url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9
faf3e813736b37c6d3b6bc/analysis/
33207 || BLACKLIST User-Agent known malicious user-agent string Mazilla/5.0 - Win.Backdoor.Upatre
33212 || PUA-ADWARE SoftPulse variant HTTP response attempt ||
url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62a
fc417baa6333670e1e3011/analysis/1421687954/
33219 || MALWARE-CNC Win.Trojan.Gamarue variant outbound connection ||
url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a5882
2a7da5b501a10543266c6e/analysis/1421697833/
33220 || MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt ||
url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f2
84d3295dd30ded7ecf64b2/analysis/
33221 || MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt clipboard and screenshot ||
33224 || INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound
connection attempt ||
url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63
719e02630a70d6ae9a3ca4/analysis/1421439683/
33227 || MALWARE-CNC Win.Agent.BHHK variant outbound connection ||
url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab6
3502d28df78c2faeaad366/analysis/1421677054/
33228 || MALWARE-CNC Win.Trojan.Kovter variant outbound connection ||
url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c55
2e7fbe5aba516ef11b08f0/analysis/
33282 || MALWARE-CNC Win.Trojan.Upatre variant outbound connection ||
url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63
827099ca7c14063f54967a/analysis/1421616162/
url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad
3c63674afa7f6796d96f02/analysis/
33444 || MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection ||

url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df
3caee464f8b4125d46c1a4/analysis/
33449 || MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin
attempt ||
url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d73880
18408800d42581567f78cf/analysis/
33450 || MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection
||
url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d73880
18408800d42581567f78cf/analysis/
33452 || PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection
||
url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e
1acff62f0d301c43492709/analysis/
33453 || MALWARE-CNC Win.Trojan.Kovter variant outbound connection ||
url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89
a5ad98b0ec2649fb116a52/analysis/1422981882/
url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d
2b894f4794ac8ee5eee2eb/analysis/
33519 || BLACKLIST User-Agent known malicious user agent - ALIZER ||
url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d
1e44fb08cf08c4352c5f55/analysis/
33520 || MALWARE-CNC Win.Trojan.Zusy inbound CNC response ||
33522 || BLACKLIST User-Agent known malicious user-agent - DNS Changer ||
url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0
228b964a98c45428cb4e3c/analysis/ ||
url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b96
9171e5ba337aa756371c36/analysis/
33523 || MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection ||
33524 || MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection ||
33547 || MALWARE-CNC Win.Trojan.Turla outbound connection ||
url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d496
1a2d77360c7c65c7978b5e/analysis/
33560 || BLACKLIST DNS request for known malware domain trackingrecipient.net46.net - Win.Cossta ||
url,www.virustotal.com/en/file/cdaa661e2b5913997f4d905e0490bd8d9069a0c9f9
0a13944d5d3e1d6d1f2089/analysis/
33646 || MALWARE-CNC Linux.Trojan.XORDDoS outbound connection attempt ||

url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b5611483
5eb7d40bdec964a0e243dc/analysis/
33649 || BLACKLIST User-Agent known malicious user agent - Google Omaha Win.Trojan.ExtenBro ||
url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd
4856c6f1512e794b90f23d/analysis/
33650 || MALWARE-CNC Win.Trojan.Tinba outbound connection attempt ||
url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1c159bdafa0
37be39ac062bdaeeb1f621/analysis/
33677 || MALWARE-CNC Win.Trojan.Babar outbound connection ||
url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6e
e609b79c643d9034938ebf/analysis/
33678 || MALWARE-CNC Win.Trojan.FannyWorm outbound connection attempt ||
url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0
227e054be8eb2a11f443d9/analysis/
33740 || FILE-IMAGE Microsoft emf file download request || bugtraq,10120
33815 || PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection
||
url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b6
42cffe12938d705c7019df/analysis/
33816 || PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection
||
url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b6
42cffe12938d705c7019df/analysis/
33822 || MALWARE-CNC Win.Trojan.Egamipload variant outbound connection ||
url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84a
b7aef4d540ed3703ae3e45/analysis/
33833 || PUA-ADWARE User-Agent adware OutBrowse/Amonitize
33851 || MALWARE-CNC Win.Trojan.Poseidon outbound connection ||
url,blogs.cisco.com/security/talos/poseidon
33852 || MALWARE-CNC Win.Trojan.Poseidon outbound connection ||
url,blogs.cisco.com/security/talos/poseidon
33885 || MALWARE-CNC Win.Trojan.Gh0st variant outbound connection ||
url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f
78ad2b11816e1f9a59/analysis/1425053730/
34047 || MALWARE-CNC Win.Trojan.VBPasswordStealer variant outbound
connection ||
url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be7
83a511049d8e5006cac011/analysis/
34119 || PUA-ADWARE InstallMetrix precheck stage outbound connection ||

url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f
10ef4761db3b9e372ba90e/analysis/1426449298/
34120 || PUA-ADWARE InstallMetrix fetch offers stage outbound connection
||
34121 || PUA-ADWARE InstallMetrix reporting binary installation stage
status ||
34122 || PUA-ADWARE InstallMetrix reporting fetch offers stage status ||
34125 || PUA-ADWARE User-Agent Vitruvian ||
url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe
3c8b8f6cea0e708049a784/analysis/1426449345/
34126 || PUA-ADWARE Vitruvian outbound connection ||
34127 || PUA-ADWARE Vitruvian outbound connection ||
34136 || MALWARE-CNC Win.Trojan.Banload variant MSSQL response ||
url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0
105c3be9620bf224f36f3f/analysis/
34137 || PUA-ADWARE SearchProtect user-agent detection ||
url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc
51df20c2e53b401ffc4651/analysis/
34140 || MALWARE-CNC Win.Trojan.Dyre publickey outbound connection
attempt || url,phishme.com/project-dyre-new-rat-slurps-bank-credentialsbypasses-ssl ||
url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47
f754b9c59bc308d808c486/analysis/
34144 || PUA-ADWARE SuperOptimizer installation status ||
url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049
e6a7c76145cb45e5e32049/analysis/1426449377/
34145 || PUA-ADWARE SuperOptimizer encrypted data transmission ||
34146 || PUA-ADWARE SuperOptimizer geolocation request ||
586586586586586586586586586586community-rules/VRTLicense.txt58
6586586586586586586586586586586586586586586586586586586586586586586586586
5865865865865865865865865865865865865865865865865865865865865865865865865
8658658658658658658658658658658658658658658658658658658658600006445860002
27258600022725860000004616658612060167457586017323586
058
6586586586586586586586586586586586586586586586586586586586586586586586586
5865865865865865865865865865865865865865865865865865865865865865865865865
8658658658658658658658658658658658658658658658658658658658658658658658658
6586586586586586586586586586586586586586586586586586586586586586586586586
587587ustar
587vrtbuild58758758758758758758758758758758758758758758758758758758758758
7587587587vrtbuild5875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587587587587587587587
5875875875875875875875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587587587587587587587
5875875875875875875875875875875875875875875875875875875875875875875875875
8758758758758758758758758758758758758758758758758758758758758758758758758
7587587587587587587587587587587587587587587587587587587
SOURCEFIRE
VRT CERTIFIED RULES LICENSE AGREEMENT
(v. 2.0)
IMPORTANT: PLEASE READ THIS AGREEMENT CAREFULLY.
THIS VRT CERTIFIED RULES LICENSE AGREEMENT IS A LEGAL AGREEMENT BETWEEN
YOU AND
SOURCEFIRE, INC. OR ONE OF ITS DESIGNATED SUBSIDIARIES LICENSING THE
RULES TO
YOU HEREUNDER INSTEAD OF SOURCEFIRE, INC. (AS APPLICABLE,
SOURCEFIRE). THE
TERMS AND CONDITIONS UNDER WHICH YOU MAY USE THE RULES ARE SET FORTH IN
THIS VRT
CERTIFIED RULES LICENSE AGREEMENT (AGREEMENT).
BY DOWNLOADING, INSTALLING OR USING ANY OF THE RULES, YOU ARE BINDING
YOURSELF
IF YOU ARE ACTING IN YOUR PERSONAL CAPACITY OR THE BUSINESS ENTITY
THAT YOU
REPRESENT (AS APPLICABLE, YOU) TO THIS AGREEMENT AND AGREEING
THAT THIS
AGREEMENT WITH SOURCEFIRE IS ENFORCEABLE LIKE ANY WRITTEN CONTRACT
SIGNED BY
YOU.
IF YOU DO NOT AGREE TO ALL OF THE TERMS AND CONDITIONS CONTAINED
IN THIS
AGREEMENT, THEN SOURCEFIRE IS UNWILLING TO LICENSE THE RULES TO YOU,
IN WHICH
CASE YOU MAY NOT DOWNLOAD, INSTALL OR USE ANY OF THE RULES.
IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT,
DO NOT
DOWNLOAD, INSTALL OR USE THE RULES. BY SELECTING I ACCEPT,
OK,
CONTINUE, YES, NEXT OR BY INSTALLING OR USING THE RULES
IN ANY
WAY, YOU ARE INDICATING YOUR COMPLETE UNDERSTANDING AND ACCEPTANCE OF ALL
OF THE
TERMS AND CONDITIONS OF THIS AGREEMENT.
1. Definitions
1.1. Appliance means any hardware device

detection
engine such as Snort.
that runs at least one
1.2 Commercial Purpose means the direct or indirect use,

reproduction or
distribution of any Rule, Modification or Compilation, in whole or in
part, that
is intended to result in financial gain, economic benefit or other
form of
consideration to any person or entity involved in such use,
reproduction or
distribution. Examples of a Commercial Purpose include but are not
limited to:
(a) integrating the Rules with other software or hardware for sale as a
bundled
product; (b) licensing, distributing or selling the Rules for a fee;
or (c)
using the Rules to provide a fee-based service or subscription.
1.3. Community Rules means
specifically formulated network
traffic
characteristics and instructions in text form, source code form or
object code
form (including the structure, sequence, organization and syntax of such
network
traffic characteristics), and all documentation related thereto, that:
(a) are
owned by Sourcefire and designated with SIDs of 3,464 and below; or
(b) have
been developed by a third party and approved by the VRT
(Sourcefires
Vulnerability Research Team).
1.4 Compilation means a work that combines the Rules or any
Modification
or portions thereof with any services, programs, code or other
products not
governed by the terms of this Agreement.
1.5. Improvements means a Modification to a Rule (or to a
Modified Rule)
that corrects a bug, defect, or error in such Rule without affecting the
overall
functionality of such Rule.
1.6. Modifications or Modified means any alteration,
addition to or
deletion from the substance or structure of the Rules (or to a
Modified Rule)
including, without limitation: (a) an Improvement; (b) any change
to the
contents of a file containing a Rule or a Modification; (c) any

derivative of
the Rule or of any Modified Rule; or (d) any new file that contains any
part of
the Rule or Modified Rule.
1.7. Registered User means an individual or entity who has
registered on
www.snort.org to use the Rules and who is not required to pay a license
fee for
such use.
1.8. Rules means specifically formulated network traffic
characteristics
and instructions in text form, source code form or object code form
(including
the structure, sequence, organization and syntax of such network
traffic
characteristics), and all documentation related thereto, that: (a)
have been
created, developed, tested and officially approved by the VRT; and
(b) are
designated with SIDs between 3,465 and 1,000,000. Modifications are
considered
part of the Rules, however, the Community Rules are not considered part
of the
Rules definition.
1.9. Subscriber means an individual or entity
registered on
www.snort.org to use the Rules as a subscriber and who
applicable
license fee for such use.
who
has
has paid the
2. License Grant
2.1. Subscriber Use. If You are a Subscriber, then subject to the
terms
and conditions of this Agreement, Sourcefire grants You a worldwide and
non-exclusive license to: (a) download, install and use the Rules only
on that
number of Appliances for which You have paid the applicable license
fee; (b)
Modify the Rules and install and use those Modified Rules
consistent with
Section 2.1 (a) above; (c) reproduce the Rules as strictly
necessary in
exercising Your rights under this Section 2.1; and (d) make the Rules
and any
Modification available to Your consultants, agents and subcontractors
for the
limited purpose of exercising Your rights under this Section 2.1
provided that
such use is in compliance with this Agreement. As a Subscriber You

will have
access to the Rules promptly upon release by Sourcefire and thirty
(30) days
before the Rules are made available to Registered Users. Once a
Rule or
Modification has been made available to Registered Users (i.e. 30
days after
release to Subscribers), You may then also distribute such Rule or
Modification
in accordance with Section 2.2 (c) and Section 2.2 (d) below, as
applicable. As
a Subscriber You may not distribute the Rules until such 30-day
period has
lapsed.
2.2. Use by Registered Users. If You are a Registered User, then subject
to the
terms and conditions of this Agreement, Sourcefire grants You a worldwide and
non-exclusive license to: (a) download, install and use the Rules on
Appliances
that You manage (or over which You have administrative control); (b)
Modify the
Rules and use such Modifications consistent with Section 2.2(a)
above; (c)
distribute those Rules and any Modifications that are made generally
available
to other Registered Users; (d) distribute any Improvement made
generally
available to other Registered Users on mailing lists commonly used by
the Snort
user community as a whole; (e) reproduce the Rules as strictly
necessary in
exercising the rights under this Section 2.2; and (f) make the Rules
and any
Modification available to Your consultants, agents and subcontractors
for the
limited purpose of exercising Your rights under this Section 2.2
provided that
such use is in compliance with this Agreement. If You are a Registered
User, You
acknowledge and agree that the Rules will only be made available to
Registered
Users thirty (30) days after they have been released to Subscribers.
2.3. Community Rules. The Community Rules are not governed by this
Agreement and
are separately made available for use under the GNU General Public
License
(GPL), v2.
2.4 License Limitations; Restrictions. You
the Rules
acknowledge and agree that
are the property of Sourcefire, contain valuable assets and

proprietary
information of Sourcefire, and are provided to You under the
terms and
conditions of this Agreement. You agree that You will NOT at any time do
any of
the following without Sourcefires prior written consent: (a) use,
deploy,
modify, license, transfer, display, reproduce, distribute or disclose
the Rules
or Modifications (even if merged with other materials as a
Compilation) other
than as allowed under Section 2.1 if You are a Subscriber or under
Section 2.2
if You are a Registered User; (b) use, deploy, modify, license,
transfer,
display, reproduce, distribute or disclose the Rules or Modifications
for a
Commercial Purpose; (c) share any user authentication information
and/or
password provided to You by Sourcefire with any third party to allow
such party
to access Your snort.org account or to otherwise access the Rules; (d)
except as
provided under Sections 2.1(c)-(d), Sections 2.2(c)-(d) and Section 4,
post or
make available any Rule or any Modification (in whole or in part)
to any
individual or entity who has not agreed to the terms and conditions
of this
Agreement; or (e) alter or remove any copyright notice or proprietary
legend
contained in or on the Rules or Modifications. Sourcefire reserves the
right to
limit the time and/or frequency that the Rules are made available for
download
at www.snort.org. All rights not granted under this Agreement are
reserved by
Sourcefire.
2.5. Support. Technical support for the Rules is limited to the
e-mail
support assistance and user forums available at www.snort.org.
FAQs,
2.6. Commercial Use. You must enter into a separate commercial license
agreement
with Sourcefire in order to use the Rules for a Commercial Purpose.
You can
contact Sourcefire at www.snort.org if You desire to use the Rules
for a
Commercial Purpose under a commercial license agreement.
2.7. Reproduction Obligations.
or any
If You
make
any copies
of the
Rules
Modifications as permitted by this Agreement, You agree that any and

all such
copies will contain: (a) a copy of an appropriate copyright notice and
all other
applicable proprietary legends; (b) a disclaimer of any warranty
consistent with
this Agreement; and (c) the following notices:
The contents of this file are subject to the VRT Certified
Rules
License Agreement (the Agreement). You may not use this file
except in
compliance with the Agreement. You may obtain a copy of the Agreement
at
www.snort.org. The developer of the Rules is Sourcefire, Inc., a
Delaware
corporation.
The Rules are distributed under the Agreement on an AS IS
basis, WITHOUT
WARRANTY OF ANY KIND, either express or implied. See the
Agreement for
the specific language governing rights and limitations under the
Agreement.
2005 2012 Sourcefire, Inc. All Rights Reserved.
Contributor/Change Made By: ________________. [Only apply if changes
are
made]
3. Modifications. If You create a Modification, then the use,
reproduction and
distribution of such Modification shall be governed by the terms and
conditions
of this Agreement. You are encouraged to disclose Your
Modifications to
Sourcefire and the user community but are not required to do so. If You
disclose
a Modification to Sourcefire or the user community, You hereby grant
Sourcefire
and all other licensed users of the Rules an irrevocable, perpetual,
fully
paid-up, world-wide, royalty-free, non-exclusive license to download,
install
and use such Modification (and the source code thereto). For each
Modification
You make and distribute, You shall include a prominent notice stating
that the
You changed the Rule (or any Modification thereto) and the date of such
change.
4. Distribution Obligations. The Rules (or any Modification thereof)

may be
distributed by You only as permitted under this Agreement. You must
include a
copy of this Agreement and the notices referenced in Section 2.7 in each
file of
the Rules that You are permitted to distribute. If it is not possible to
include
such notices in a particular file due to its structure, then You must
include
such notices in a location (such as a relevant directory) where a user
would be
likely to look for notices. If You create any Modifications, You must
add Your
name as a contributor to the notice described in Section 2.7.
5. Payment Terms. If You are a Subscriber and have provided Sourcefire
(or its
payment processor) with a valid credit card number or an alternate
payment
method, Your subscription will be automatically renewed and the thencurrent
license fee will be charged to such account for another term at the
expiration
of Your then-current term. The new term will be for the same duration
as the
expired term unless otherwise specified at time of renewal. This renewal
will be
processed (and Your credit card account charged) within thirty (30)
days prior
to the expiration of the term and each anniversary thereafter. If You
do not
want Your subscription to automatically renew, You must, prior to the
expiration
of Your subscription term, inform Sourcefire of Your intention not to
renew Your
subscription. Sourcefire will send notice of Your renewal to the
e-mail
address You have provided prior to charging Your account. You must
provide
current, complete, and accurate information for Your billing account.
You are
responsible for ensuring this information is correct and must promptly
update
all information to keep Your billing account current, complete, and
accurate
(such as a change in billing address, credit card number, or
credit card
expiration date). You must promptly notify Sourcefire if Your credit
card is
canceled or is no longer valid.
6. Representations
that the
and
Warranties.
You
represent
and
warrant
information that You provide to Sourcefire when registering as

either a
Registered User or a Subscriber is complete and accurate in all
respects, and
You have the right, power and authority to so register. If You are a
Subscriber,
You further represent and warrant that the subscription categories
selected
(e.g., personal or business use) accurately reflects Your intended use
of the
Rules.
7. Versions of the Agreement. Sourcefire may publish revised and/or new
versions
of the Agreement from time to time. Each version of the Agreement
will be
distinguished by a version number; this Agreement is version 2.0 and
replaces
version 1.2. Once a Rule has been published under a particular version
of the
Agreement, You may always use the Rule under the terms of that version
of the
Agreement which such Rule was acquired. You may also choose to use
such Rule
under the terms of any subsequent version of the Agreement. No one
other than
Sourcefire has the right to modify the terms of the Agreement.
8. Warranty Disclaimer. THE RULES AND MODIFICATIONS ARE PROVIDED
UNDER THIS
AGREEMENT ON AN AS IS BASIS, WITHOUT WARRANTY OF ANY KIND,
EITHER
EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, WARRANTIES THAT
THE RULES
OR THE MODIFICATIONS ARE FREE OF DEFECTS, MERCHANTABLE, FIT FOR A
PARTICULAR
PURPOSE OR NON-INFRINGING. THE ENTIRE RISK AS TO PERFORMANCE OF THE
RULES AND
MODIFICATIONS IS WITH YOU. SHOULD THE RULES OR MODIFICATIONS PROVE
DEFECTIVE IN
ANY RESPECT, YOU (NOT SOURCEFIRE) ASSUME THE COST OF ANY NECESSARY
SERVICING,
REPAIR OR CORRECTION. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN
ESSENTIAL PART
OF THIS AGREEMENT. NO USE OF ANY RULE OR ANY MODIFICATION IS
AUTHORIZED
HEREUNDER EXCEPT UNDER THIS DISCLAIMER.
9. Liability Limitation. UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL
THEORY,
WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT OR OTHERWISE, SHALL
SOURCEFIRE
OR YOU BE LIABLE TO ANY PERSON FOR ANY INDIRECT, SPECIAL,
INCIDENTAL OR
CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION,

DAMAGES
FOR LOSS OF PROFITS OR GOODWILL, WORK STOPPAGE, SECURITY BREACHES OR
FAILURES,
COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER DAMAGES OR LOSSES,
EVEN IF
SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH
DAMAGES. THIS
LIMITATION OF LIABILITY SHALL NOT APPLY TO THE EXTENT APPLICABLE LAW
PROHIBITS
SUCH LIMITATIONS. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF
INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS EXCLUSION AND LIMITATION
MAY NOT
APPLY.
10. Term; Termination. If You are a Registered User this Agreement will
remain
in effect for as long as You use the Rules, subject to the
termination
provisions below. If You are a Subscriber this Agreement is effective for
a term
of one (1) year from the date of purchase of Your license and for all
renewal
terms thereafter, subject to the termination provisions below. This
Agreement
and the rights granted hereunder will terminate automatically if You
breach any
term herein and You fail to cure such breach within thirty (30) days of
becoming
aware of the breach. Additionally, Sourcefire may terminate this
Agreement for
convenience at any time by providing You thirty (30) days notice. If
You are a
Subscriber and Sourcefire terminates this Agreement for
convenience, then
Sourcefire will provide You a pro-rated refund for the license fees You
prepaid
for the remaining portion of the term that has been cancelled.
Upon any
termination or expiration of this Agreement, You must cease use of the
Rules and
destroy all copies of the Rules. Provisions which, by their nature, must
remain
in effect beyond the termination of this Agreement shall survive.
11. United States Government Users. The Rules provided under this
Agreement are
prepared entirely at private expense and are Commercial Items as
that term
is defined in 48 C.F.R. 2.101. The Rules are licensed to U.S.
Government end
users: (a) only as Commercial Items; and (b) with only those rights
as are
granted to all other users pursuant to the Sourcefires standard

license
agreement. In case of conflict between any FAR and DFARS and this
Agreement, the
construction that provides greater limitations on the U.S. Government's
rights
shall control.
12. Miscellaneous. This Agreement represents the complete agreement
concerning
the subject matter hereof. If it is impossible for You to comply with any
of the
terms of this Agreement due to statute, judicial order or regulation
then You
must comply with all other terms of this Agreement to the maximum
extent
possible. If any provision of this Agreement is held to be
unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable.
This Agreement shall be governed by the laws of the State of Maryland,
excluding
its conflict-of-law provisions. Any litigation relating to this
Agreement shall
be subject to the jurisdiction of the state and federal Courts serving
Howard
County, Maryland, with the losing party responsible for costs, including
without
limitation, court costs and reasonable attorneys fees and
expenses. You
hereby submit to jurisdiction and venue in such courts. The application
of the
United Nations Convention on Contracts for the International Sale of
Goods is
expressly excluded. Any law or regulation which provides that the
language of a
contract shall be construed against the drafter shall not apply
to this
Agreement. The Rules are subject to export controls under the laws of the
United
States and other countries. You shall comply with all such laws
governing
export, re-export, transfer and use of the Rules. You agree not to
use or
transfer the Rules for any use relating to the operation of nuclear
facilities,
chemical or biological weapons or missile technology, unless authorized
by the
U.S. Government by regulation or specific written license. Headings and
section
references are used for reference only and shall not be used define,
limit or
describe such section.
*********
59759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5975975975975975975975975975975975975975975975975975975975975975975975975
9759759759759759759759759759759759759759759759759759759759759759759759759
7597597597597597597597597597597597597597597597597597597597597597597597597
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5985985985985985985985985985985985985985985985985985985985985985985985985
9859859859859859859859859859859859859859859859859859859859859859859859859
8598598598598598598598598598598598598598598598598598598598598598598598598
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
5995995995995995995995995995995995995995995995995995995995995995995995995
9959959959959959959959959959959959959959959959959959959959959959959959959
9599599599599599599599599599599599599599599599599599599599599599599599599
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6006006006006006006006006006006006006006006006006006006006006006006006006
0060060060060060060060060060060060060060060060060060060060060060060060060
0600600600600600600600600600600600600600600600600600600600600600600600600
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6016016016016016016016016016016016016016016016016016016016016016016016016
0160160160160160160160160160160160160160160160160160160160160160160160160
1601601601601601601601601601601601601601601601601601601601601601601601601
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
6026026026026026026026026026026026026026026026026026026026026026026026026
0260260260260260260260260260260260260260260260260260260260260260260260260
2602602602602602602602602602602602602602602602602602602602602602602602602
602602602602602602602602602602602602602602602602602

Community Rulesrtf

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Community Rulesrtf

Încărcat de

Drepturi de autor:

Formate disponibile

communityrules/

flow:to_server,established; content:"FTPON"; metadata:ruleset community;

content:"d13hh["; nocase; metadata:ruleset community;

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP

metadata:ruleset community; reference:cve,2000-0138; classtype:attempteddos; sid:243; rev:8;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named

community; reference:bugtraq,514; reference:cve,1999-0918;

FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3;

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL

# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null

fast_pattern:only; metadata:ruleset community, service ftp;

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP

# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP

# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING

content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attemptedadmin; sid:507; rev:7;)

metadata:ruleset community; reference:bugtraq,1163; reference:cve,20000347; classtype:attempted-recon; sid:530; rev:14;)

content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset

metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;

metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;

# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap

# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES

# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye

1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcodedetect; sid:641; rev:12;)

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL

service smtp; reference:bugtraq,2311; reference:cve,1999-0204;

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password

# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL

# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET

reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303;

community, service http; reference:bugtraq,2265; reference:cve,1999-1479;

content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset

fast_pattern:only; http_uri; metadata:ruleset community, service http;

metadata:ruleset community, service http; reference:bugtraq,550;

reference:cve,1999-0756; classtype:web-application-attack; sid:935;

flow:to_server,established; content:"/_private/register.txt"; nocase;

community, service http; reference:nessus,11003; classtype:webapplication-activity; sid:989; rev:18;)

nocase; http_uri; metadata:ruleset community, service http;

filename=*.exe"; fast_pattern:only; metadata:ruleset community, service

service http; reference:bugtraq,1193; reference:cve,2000-0457;

http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:webapplication-attack; sid:1050; rev:17;)

fast_pattern:only; metadata:ruleset community, service http;

content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset

community, service http; reference:bugtraq,2337; reference:cve,2000-1049;

metadata:ruleset community, service http; reference:bugtraq,1431;

9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community;

reference:bugtraq,374; reference:cve,1999-0039; classtype:attemptedrecon; sid:1147; rev:20;)

http; reference:cve,1999-1070; reference:nessus,10017;

flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only;

us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200;

content:"/intranet/"; fast_pattern:only; http_uri; metadata:ruleset

reference:cve,2001-0215; reference:nessus,10627; classtype:attemptedrecon; sid:1224; rev:17;)

content:"template=../../../"; metadata:ruleset community, service http;

reference:cve,2001-0554; reference:nessus,10709; classtype:successfuladmin; sid:1253; rev:23;)

metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode;

86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4;

# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC

reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829;

# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP